Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-clrptaslf1
Target bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b
SHA256 bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b

Threat Level: Likely malicious

The file bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3775) files with added filename extension

Renames multiple (4548) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:10

Reported

2024-11-14 02:12

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe"

Signatures

Renames multiple (3775) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\bin\sunec.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\jnwdui.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\SuspendUpdate.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Windows\SysWOW64\Zombie.exe
PID 2504 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Windows\SysWOW64\Zombie.exe
PID 2504 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Windows\SysWOW64\Zombie.exe
PID 2504 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Windows\SysWOW64\Zombie.exe
PID 2504 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe
PID 2504 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe
PID 2504 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe
PID 2504 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe

"C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

"_Get-PackageCacheLocation.ps1.exe"

Network

N/A

Files

memory/2504-0-0x0000000000400000-0x000000000040A000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 6b8fc3c72c7633c8f6fa384823c3d835
SHA1 92e77961bd673ee0e2f7e22472b10db3291b1561
SHA256 94f34af6da831e7170f311e96fa1637e419d58e96d3588b5daef677157016eab
SHA512 5f1091aa9e61cd14b867dfadf6d4261e67868e8001d3d1c783fcb57b714994a673415fed06c1940af955f336a32cfa113597418c9add0972ee95bbf6cad44c18

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

MD5 334c679ffcf438698c1cb300818e7fc7
SHA1 fde121488130739de6e63386d4c09008a533c019
SHA256 585315100306858b19a34af6741637d6b2a4f4a92f01447f8ff39fbda7fba864
SHA512 40b327e82b3bc98dc5353bd24ab014af71ce5e9fbddfd338b4b20aaf62fd66aec98d7d37b2a89f6af322478f5791b956008f10bf4e9c65bb647cd3a3c2020bac

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe.tmp

MD5 eb2fa93f5f92c7c2de553641401961b3
SHA1 a7c8d41f808c099be17575b5e0eb5d9963b5e7ff
SHA256 115ae55e4420479543ce909640ea0d7046256d58ea8dec0df68023fb2f0fd5e4
SHA512 59cf481f844c7f43a1be5c9cc01cec6d67bcf1681853fb0b49a473f88f454e54cfa4b0e24bd1035299782407711b7f29c3698979ca82e3d155a5df5681764c25

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.exe

MD5 3c3a824670023fd9b1acee8575c68d92
SHA1 6292f00c452943acc534dfe923fe5f4a5f953826
SHA256 89f5f241f4e4ed6cd5ef869b7f5dd7dbae9d4f2c19f5e5a514c8c138e9fc7ea2
SHA512 6e278bd9da38bbffad3487a01ce384675e65fcd942cebfd53d93c181dcc85fd9e797e62e69041efea7466be622a95cddc7695cb1d1d54a808cfd96322eb75de8

memory/2916-23-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2504-22-0x0000000000280000-0x000000000028A000-memory.dmp

memory/2684-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2504-13-0x0000000001BF0000-0x0000000001BFA000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9f6c8e44485c3388f9e9cf6fb7aa9473
SHA1 b22cd20915145198a499f929cd2e3e28f32695df
SHA256 3817ab81dfe5bc967b654d5883a83d0cb675526a9705eb4d9b371eca382487a9
SHA512 ff7047ea81aa2876ecb1b9e617630b5b137a8ec2e2465f14fd636548b052f92fb6a455e7192dc189562da9936d172047047f89b7f918ad7685e9522afd02e232

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 e5ef2c3fdc1f49551afbacdae7ff77ee
SHA1 b0ed5c5b2838803ac171cb9b391b261794f822a4
SHA256 7268fc658c7b8c183864a801bd678888e7e0c0e5b0f74e21da76b966e1440812
SHA512 19cc56f047ba25d92a12b2812a2fb06c604757b636d1999f05cbce9137d84b344f07e6ebcbe88b2cad5ceba9c081b31da16f92f73dfeaa4fbcc1705599f7391f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 1290f09928a30c961509f1c1b2953fa8
SHA1 ef0a0c6542df55b80cfa8ce83b618951e6a5279c
SHA256 f193c7bb957113408280fba51ef04b48673d2c49eaf4aa4794b79e0b21dfd279
SHA512 fca201fd2d95e1bc64f5fccf5d6321a03de49a8a54a0ea74be81196633f239298d4afbf94100c275c5a44e77658694c6d7de0ca80fe08ba05e9fc3c901c332f6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 f340fe717927a3f728911ef4ddc7047b
SHA1 81069884f038bedf6107250d27f9c8885abbf1b4
SHA256 ccb9635b4ecd3952ec776b1d3b2e3a48a65e16cb5b08d5bef5664696fa6dc9a3
SHA512 898f1dbf4ecacdb3e96e0e9fdaac8cba28d4828c275e43fb7fa1bbcfb72790dade481672cfdc4ecf54bda99983b2e3f1d1416c468aa760f8ec15043d2359235d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 1b6231fa001d798b84ac69dc321348fa
SHA1 8860bbf8830cea3ab8bd2cc98c6a3cd6e9d5a847
SHA256 627a306a6aec74b47f1b0d33d207916adc1ab41b2c4fe3a41e2f3a05e7594941
SHA512 635482b8fe86ecaeb4db18e69baaa466443bf671d29983eeb27383647d955bf4e30e6d0ad4d1773b8470b9e9bb3c91273796fdda5fc10326ac4f238ded4f4d6c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 cbfbbbb8a18f0d06cb20c8972ec719d2
SHA1 26f8f7090889e9d6dc5b7fbe9428f836577802ad
SHA256 33a7f4799ade11b9e8d37a73f3ddf1a4b7934785fa7d9cfc176a562e3d054d39
SHA512 aa3e9e11eebe57dcd1f733a1f9deafe58651be29262c1fda158e5b190e00d5b8deeebb6fc11e3078e75c310b1bcba2e287e0c9ad57682cc1b62cac47c26a2cf9

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 03c26d46e96ae8e5a87cd03f205d1606
SHA1 aad5b7cb8e4159415bf0b75646c99a5af9930715
SHA256 5c39b2c461ccf6464dbdcfe752b12a0b3aea04b7b67bc16a53c2a4131797b6f6
SHA512 b240e918965121e240085c273c5aff64d575131c48ae73fe8311fa88ae2b01307a670bc5d6979e95df4b850e22c865f52d0832879127aea7a64469aa0a7d1f18

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 bfbc61e33e6cd082ae83ae7fc9691787
SHA1 0b95e6dbe90ff400131519c899848d4b00a86c33
SHA256 0139fd9922d9780d1ae8591638f9b42f7f421fd2f475180d6eed55512ade90ef
SHA512 62712101c65a5d79af8faae523ab5f4ea5241d1b843622d5f3b78f4d43740ce6102964c2961bda4d2e60baa694c7ada6a50f314becd72f1bb295f762998d7052

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 cf16a9d28a9a1fe8aca3945e6b4c763c
SHA1 7f50ccb01b04769e5626ae21ef89e17fdd9cb188
SHA256 6ba9d0f57a4b44fe19555adb8971ce58568afdc74feb4c5d7b4f2676c6c3f669
SHA512 a695992d1c0dcb0cde17711f554fa7aab149441278db194b371de51b66deb6612a947a9ab2ab0f6325af8d1b1d6823659f8a9cba77fcb4003eb86ec76aa3bd40

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 8948e6b1d77882e9d0b6af18b5aa4079
SHA1 ad8a6a7cf7af1fe5eacaca1436cc5590ac1459d4
SHA256 17b61d9f76c0ddc97d6689ece964869f7b1c5c992fe65d69a4b91ee1ea8b82bb
SHA512 869f54146873d9d6102055fc6c971f890599d6b42d39753bf1bc69553ac483b83081d80acbcf7fd75aaa470323f78617545d8932ce0bb3e36289b09e7d35135a

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 e57f26f47b06918586ec4bf8283b41d8
SHA1 773e905cc6494ba0ed938f53eaffd0a81e368fae
SHA256 2c65cf5f244d9c49e1abcbd2b3ad2e175c45c8e1db73427752915fb4c49a7d19
SHA512 ee94374f4cf64b860c917f5711445b3df4761a0f22d264b4525c026e0e442e22144b31047acce21920be7c87a9b525ab2b84cdf47111e9b855849097a3ab65fe

memory/2504-98-0x0000000001BF0000-0x0000000001BFA000-memory.dmp

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 245138517a7322d6e1ffe1b08e4d2b49
SHA1 b76ad30ff3459d27d31ce6ba5b1b91977fe9d81e
SHA256 3d8ff41c09edea0b7d2486e3f4865e05b2892efd91cd75f05312db0338a643e4
SHA512 b8843f33f121e6d4d4e88467c458c4ae0c2e86b4a84ca2884880cb27a5954756b9618aa9b4c09cc3d396b0778671a3f93495a57e11ebe287f8bc9971fea74d6d

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 0c9d581ecbf87fead73596e4a3c4c8b3
SHA1 ffe20a170909aca04fdd263070150be805740175
SHA256 dbedfb191713872f190da6df329b069f77127006b0cb592dae8f3c569952b06d
SHA512 67aac422e085b12c5278bc0b22d509571691dd5a6e407cf7cf1baa49c6f524c6714bd18a89cfaebeb9b23c63b44e268c9823407d6581c30eb38590412ff9e902

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 6ce9db90369ed0354d2f9c43af775b0c
SHA1 4d2eb8876fc2466d65f4b39d0c94247df4159b8f
SHA256 b0616c441897b8c99302a5e03a2a170c596364f8ba0e092c5db588dc47b5f21a
SHA512 6b3d0cc9db5149624fc0149b65680a39334e3370bb0dd287ea1cdee7e9c21845c74bdb70b289fe7c08b4aa5795078df63d1027730f5308747dd300ec108f1b3a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 872384888c7c2a834e347c98f67f0eeb
SHA1 c3cf777bd006fd0bad428d219008119cf690effe
SHA256 2516ce54892fbf8816eab5229dc42677a21be7ca6b2461cf01c6f7f1d5d378c7
SHA512 82dcf32c0e09500ac1af324613db75db0d6dd1848a4a4ac49ee828f20503a09cd76df4c04f6bd5b81ced7470b639a9d377434747207b5479c46ba96775032451

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 006e69bbdaa53fbbf07da70f24d2afaf
SHA1 45604122e297c644bca8014155f6d4bb58e0032f
SHA256 40390bd82125fd2600fc3b9de6093f0c4268d4e2c9974404c7cdbba0a1b67244
SHA512 72ac350ce02f750034f9031e2812dbc7d8bce2016d1ce10e964a0f06aeb16bd98e127178ad4014ea6b926e6b91472ca3a6b4e6bf12c5c28b8cf8ac674403e570

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 e15041e66422df400ef69b9d034385dc
SHA1 122ac32f7c10cbf013838f52bd312150b2763b8f
SHA256 9bc51c674db7d9b0041334cec71bf7c1dfb6b87e2a258ab364bb9ae64b63f836
SHA512 d58cc182a1c2f33c959da507aac18ad277221d41146023ab48183ae0eee5b164dd8a29e5c27b2f522768a15d93988b8ed2b30524e0d0a7559846f0cb84ce4655

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 0c023ff50c48c733ea22dc0b4ef3a2d9
SHA1 cdf8b599351e704d6fa6f3dc409c61892c94fb4f
SHA256 acec0b322df9c5d6020abcae7368192e5e65b75927d52512ea1953fed2343d76
SHA512 0e83670de49d427a4b704d38036804230b969cbf19e9b4f6a29bcc739435bb707d7b5a7f37a0e3cc92e0376af2bbed975ee54a3155868c5a20b41392d701752a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 418b264c67697eb12ed0b052c15d812b
SHA1 4e28e3b55ea855904316fcd53452ddb8a42d8fe1
SHA256 945a1074a220df38ae3d3d7bfc86b68fbae8a017dd59195a4a9405a82c2fc887
SHA512 c5e49e11f8701fa9495cc70a5ca3bd710f57ed9422b8feb609e1559aa6ca197341a00c3956b302e1222c510bbf9b108e0abac76e732b1a36dfb4816715f71585

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 706d5f14f5d83cdb2ee83a6a09790cab
SHA1 08ae6a18e39a6bcaabbaeb7a42440b43e4b03bdd
SHA256 8de97263f9e1d6cef04be1a66dda1521887b5b0a45e02aee3f0f6edb360726ce
SHA512 f76acd4408dbfd2b7dd256704fd99d546424710d4346b5fd0dbf5440ad4835ee4a2b3f3ed5897bcd5e74eb1dca4b69012fb50e02db9f77e8a5c5d89b8b2174df

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 baf58127758991130255ae153e94c513
SHA1 64910d4f19d1b22ca3f441207c95b4248f5197b0
SHA256 47e400735c44ecef4f8d6087786b2ddea9029bbdd774b988c44f43835fb618b2
SHA512 418069f16310d48b4a3875755bca2a5cfc617ae3a345acccec270508f432681d4ca8fafff97f7478933df76c281e82f6757f40ba38969bea46b34ce21f77eeba

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 e7819fe6ca0e8abdfb9927cfd4e485fb
SHA1 150f325e7d0000279d8ce7e0586742ff05836eb8
SHA256 0eb012347e585eec1b196a482454c2e4da85c3297c1b1abcff68c0312a8cd828
SHA512 74fa6c302f6c055dec334d122baaf3b789f09355bf150cace33b5d5e0743166dd0a4fcd0bd66072c5b8d1741484a5f839fdd451d67745a3c7acd17035971d16e

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 5dd4a522b1458bde3ffcfcf0eaf5e0d8
SHA1 d23aaf5ba0df51132e3764e21313e04ee4133e29
SHA256 a9d924454f29e774abd35866b96adfc2fe6f4083a1819b8b41a2adebe7e38766
SHA512 74a8e0f420d5ca07b62c46a84e6fadd54184cd586c3bd65b6be950a1e1df70137db33cc055f7d0ab6c5ece869efa4eb98349f1997e03dc05cc2e80b4ad44569f

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 6c47ba1df5d35b596471a7eba2e9e0cb
SHA1 96da64254b127ec828664c0a7987c7f0f5c58395
SHA256 22794a0c82ad36fbaf3ba35523b84c3387b3d4228a75af42e5bd9d48a4b97e12
SHA512 de9bf1728554b4ec510e440d029b682a5edfafb62904d951bddeca8ab4f6a8e913b4c33b6142dbbc42debc8558b452545ef8e34c307f5417947b5444f3804a91

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 232bab3c52d64517aeb824f0eb9096a3
SHA1 9ccc0afd0a8148df5eb567c9ae9ef6c3c0cbb658
SHA256 35632c100b3693171a5969997f6af589fc03ae1f4893b70794f0fdb2e8d61df4
SHA512 3d46e5a9c2a2347d4edf50e68ad4ce93e51891bb8349933c74714258090aa1a457304e5308596173d756dd68f0ed271d554e041f0a8dc178f86d62be0fa24095

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 f9ebd35a583baaf932741a53a357d2bc
SHA1 c4af9cf2937294e3e0ee3267899078518cd5719d
SHA256 f080716c813bfca6943f0600f77821d1417a9cd4c202d0ac0097221be76e311f
SHA512 ef96a35afada6753baa74c00edebf2132edc43c17be583459e1d97c0844ba8f1d9258dd48a9cfb7823597be963950bf1ab4d940596f1dc01dc087827abc283c9

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 b368a9e66d1614e1af22ccae96021557
SHA1 ee5c7b51e063a37ee7d4cb92be480b718a24168c
SHA256 37f80b3f07e90ce618cc174e6d01cad42c9b9fe3e90b7d72e37fe65c85e78408
SHA512 02fae6e589ab49fd1b9cfb06603197a4d8cfe4b48364e958f85a1869f81ae9cdb9f2a076b00ee06b43d53a7fde72a05ef5c9ca91471acdfd8c893d5399860022

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 58177fa0dfd5e2e64bc7ce5a390c3e0b
SHA1 d9b634f2bbe374d83d945414fd28eb40396c0219
SHA256 8bcf8d634baf7ed767e352cd0efce62c2f030e3d0c5a1d737ac451241ae7954d
SHA512 06cee019dfa68e663334db42d3945f7f0daa4911f758ef05185d1356fcd73cfaefaac1ee502ff607e6c8ab89ede813838ef0068380585572955750108714d201

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 36d18393d5e6fb7a51b3eda5b6f91556
SHA1 07c0bc9d97ec42a1348aeede0cb8098c9a6a50d0
SHA256 5eb77362164278148cedec0c7fdd763092baa152d5ae20373a738185e0b42e2a
SHA512 2527f7ae706e37bd7002d53b111f79f0209672fd108bc2e87bb00d0ae00f0873a9c94b98f6bf83cad138ea8b9b8ab030d0d6256bbb1ba38bbea9ee9bcc7dd45f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 9e8c387885a6ba1de226766a48967d72
SHA1 00ad661fcf1b35ecf7146509bf13314ed220abb3
SHA256 feadfa5d5c8262c13704e2bf23ed5efeb3677bbe9ef3edee009cf531e4bfc15d
SHA512 bda6cc9586e63954e4d95f6c7196c1e367ca370041ecec0e9d2700ddc2b1a8ba07758236a4a2851f20689596760dc2431615490eb5068a3d41492cd8e7c49dd8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 5d17a683244dfce25194f0e9bc7aa19b
SHA1 2ecdaf5142dee8c2eeb8dbc4320ae5cff4d33484
SHA256 ca0283bfb6abf0ccb78a07b6c5e518340df270e026456959f779ad002d66b335
SHA512 cc8cc9d100328e6fcba1ccee1dbb2bfcc7bb29b0b205b02c574c380be057419dac0763bc6f9de0f642df765e6d695b579edad56d9951b9090ab23edadb0d3a20

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 a365a54f14f59d78e817e359b9146b0d
SHA1 adcc2002ca24b05f732cb4f00617b915ab08ca0f
SHA256 d90909d6d19d9a1ec7caff6881f5f2af06b0f993ccd744c2dfc299acdeddfe34
SHA512 2d05c3dc6d3b86e69092c5310cf222c970b295e7d2cf74a2566c21846432cec9d16803b683b66141c08d25e3ab2d6329a9dc5f437a6231c30bf7d6f188d2b4e5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 894f9c463718be1e5d1d05111f907f19
SHA1 634cc52c2ba3ff761ae8b60ea8c8c13983948075
SHA256 fe62634d38385a658a7be5db4be1b03ca6763108c7bb33ce3b9b10edd50318e4
SHA512 b02e8e80358b406c648cf216664e836d4ce97e99842e01dba802db265e8e1c905bf026beeb3bc9e04994777e8630937bf47d80948421d473d61749c53f188e55

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 6a62fca759e2a6e00e61a4c350914bfd
SHA1 f1b4327558ebd9186982ed0a620bc381f1563404
SHA256 0f304d737ed207fdb6cffbb422b941239fa5be2d92501e3e36b66e356a01de9d
SHA512 060e27cc6c473d1bab44c866a83e64d104b3b1ecdabffc6dfc4060d0493997bd1d6fb33a112cf529ddec29cd12263fb8d82843d57dcb486f5074230d4edc2ab8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 53ecd92412e5fdfa3c77ec6976cd4965
SHA1 3848463353ae26ecc0bd1d5fe9ac750f45d23538
SHA256 677513dc13a87de8c34b58ece9d1cf8f569e841a584080a5398b759ebd0c909b
SHA512 8450d66d34a0c135e76530874e0e66221c1cbde1f7d1eabd5d1c68bda2e4c524219e69700c12ab2cf5931a4c44e094a5ffe424407e7d41fb3581905e90aeac0f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 3acc3dc87b91ce04ac0436073d837f49
SHA1 1ad3975b184243df01d0a1d23d2137826593d1c3
SHA256 d3f07f5e01cf2e89312dfb97388e2fb44c2432e84cd446355dfa307f172299fa
SHA512 77ee5c168c88b868ddeef8fb8fbc8189fb6846520539220ffba7eb235b6b10bd75b7709e84978f9d61c72be6a1e8a11bac0559e2239c5d512a68e6ac7877e741

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 3390a0c25461dc4434e0759fbaf446bb
SHA1 c202431e179fc6b83f6f16e05bcfdc90a0ffd525
SHA256 c9111899c538fab0ad79c45f957b430a38d9ff543b88ae770290b6cd46be3f09
SHA512 7da6476f1de90a68b0ae9657e79a1d2d049dd16368ad3cf01f63242b243df85bfa6570d68218735987b3d059b7ec125ee3fc25a8b9496227414e8b9fd7bc1cf4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 9bd755354353c7f6cb1e6659d8ddc861
SHA1 8a67e6bb620222b7ddcd8780fee0e15782614670
SHA256 d402197c00a55c75ce3b73c47c97b2e486005715e44341ffd21389abc691a2c0
SHA512 c8590acfecf2c88d44107de077984ecd594f36e5db242d681cdaf81d2507d73c7017cd6529cc85df6181ae94369561cfda1e2f598a8ee9afaafca65df33de284

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 cd4d006279b2766bde4d226405f7fed7
SHA1 1b3efda8c987a303c2b94225cf065904fbb6f0d6
SHA256 7ff7b95d10dba80b48c853aa393b879f1a61d01825b224588e4e045177156bef
SHA512 befefc77a27bdce268345912010a72f933a5c052f5d31a72119c8f48ce2f558661e7c3bb421d0dab9ec34658766d7299934034786bd93ec751b7aca5830f76d2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 9ec51fe3650aea11742e40b093079fe2
SHA1 68a18dee89f44c3197dce7563bd33f344cb27efd
SHA256 c49eae984e411650bd409364f29f71f301a8ee5f6727b8a6f0a27bce8a9d2911
SHA512 94bcfb368b43aaf5b174a29f41ecb7866be2c2b829e325da47d959ede61430ba6a71f74edc6a0717f291925943a655a784f75d461f95f338d3e91b68398273e2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 9df7dde3418f96e962263ec3a2bea1a7
SHA1 550bd0a5434104c4227885062e3d30ba37f5cb69
SHA256 4de77d17898ca9285b786b1e70df27cf4d23a8923d3ec478f73b01ba3439ec7b
SHA512 ac3554b8f00eeff2981df1e80ade966a98a7da8741a0c58f87eec1e1bec23e4e5c70bc87531c0a59fc3641b7ccade423dc6feacdd4bdd0f24d56bcf22dd5cf65

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 562dc5f926c1f68b500d4e1356052ecf
SHA1 1285935da5b00d15821ae3052c7e583d340d3763
SHA256 41507ff8d7e085a172f59dd3828b3cb0dd13edec33abb8a30baa0be411922720
SHA512 4383b3607300d6f99c1b657c7b770bdf8bc6d9b31121a67ed579ba7a9f767b8666709b4dfe1767e3cac95e29fed54dac6a666b4d38fba8a7327c1fda860266f9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 3ccd7667373691eec0b06de301b8240c
SHA1 012d39a100a4c289f7a0eba4bb9e2011ba1871df
SHA256 757340f6a62962cef72ef472dcc83eec3d6c6077000fe2f9edabb826ad80a79f
SHA512 e8152f6a834be5f6ebd038599a2e63b67d6940bc3b7b4b7d2869aba8c6979dc6fbd7885a3ffdf28f68f9ca66a051a606a010511ad7569b3185f9ba453d4be566

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 6ebded2317f8fd28358c2a09959e70c6
SHA1 1373debc9ab7560d9591b8528afc00a401715ccc
SHA256 d97b5aaeaf2433ca31ce34200e42ad2591151957dda92b2fc25d6611400e878a
SHA512 cfc779958b56c48553c53745328b8bf8d1ed70c0c8bf5f9fd04caf86967c2b70b02cdd51da07e03ddc1a3a64c6b289db00535e7baef6c33d1b6254ed58c519d0

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 f3644494ea24068a4d65359a94cd4eb5
SHA1 9a88f5da3c698b37b197a908ac3deb2304cc95a2
SHA256 15991e924c6f7ccdde418faa47e2740360a242a0eb7b98df4697778b7d8294ac
SHA512 e36777e923600bf37b1b238694338e767032b203a1a892a0afa580fc7fd9cc74ba2ed151aad06631354b3157f33535d2830d945e1640517fa217a0509f57564a

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 4d66885b2907efcb58d238b339638f59
SHA1 ab663a3938bdd658ec3c3f911a9a185f77e5d116
SHA256 c2b549064d06dcfd9dcd52731444073ff4e0044054bb4337b0b9ff0c1326ae9d
SHA512 badf77fd7660116bef261ed6826a9346a07811906804eaedaaa8865e7fd07c08f2437351ad6cedfe243ec903c582d71cb7705bf40dc988396ae7251707a09ecc

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 204904cb1a8ad82a46d48cd976551d3c
SHA1 646f110c749e6f6a3da6766ea79a10ead19e9b41
SHA256 7ae35bebcf2e1318abba06c3ec8a1442136963d021dcde493819a572586f01f4
SHA512 ac8cd6b5bbb76b9f74b97f1a83843dd08043201ab813867bdbbe286486d9c69a16c4bdb56c838ee95f1f26f0a573d1a438a8b9df4e63e397df429feff0e53a08

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 180f3b1cacd46a0ad4435f0582f0c009
SHA1 b6cfc761efefc07e4489de8695600f96fea00ebd
SHA256 c9fa6f3ddeda8488287209b610fc9f69d4b10cf3121f00aae10adb8f789ed5f9
SHA512 4c9864a4e51b593c46f917662ad976bb5d237a63e29ba1420154fa44c3d7ea8081c5042d9508af2821c773d20e44adb4dda77626c13fd38f8137a2e202cfc62a

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 d30e4edefb4027867c37ea779111791d
SHA1 5d50a389cbebeab749e13ed8a22dd2c446098553
SHA256 e158b383ab1de2bfc3666763d44de6904b2b60699d36df92f03f6583ef866ddc
SHA512 63403c4d05b5fe259a87e157fd414a23c23c7d99979b2870a05c65452d07cbd88fc3db60bf8dd8a7e13f307aa977742e175c8b5ed28c6a26ac0334f5ed3865a1

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.tmp

MD5 41d1d18225bb33b47fb0e34e41bd4343
SHA1 99a888f5f4e228143fe3813a2d5598253e0d4c7f
SHA256 e5f277b5ca3d568f8ff573b442959cf7f1fd9bf358a88c9fa593fb0b6146f35d
SHA512 06bb10654e1acc83490f8e5f60c5a597f411b0a2836426471ccf661218680fee911ab20e04a0c792812cc775abdf4aa26a605fea6ed00ce1de2eb2ca3eaa383a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:10

Reported

2024-11-14 02:12

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe"

Signatures

Renames multiple (4548) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe

"C:\Users\Admin\AppData\Local\Temp\bdcee81a9236121e17b65292442195b7d9f493be47ad892b22b5a27f2a12ee9b.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

"_Get-PackageCacheLocation.ps1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/2216-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 6b8fc3c72c7633c8f6fa384823c3d835
SHA1 92e77961bd673ee0e2f7e22472b10db3291b1561
SHA256 94f34af6da831e7170f311e96fa1637e419d58e96d3588b5daef677157016eab
SHA512 5f1091aa9e61cd14b867dfadf6d4261e67868e8001d3d1c783fcb57b714994a673415fed06c1940af955f336a32cfa113597418c9add0972ee95bbf6cad44c18

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

MD5 334c679ffcf438698c1cb300818e7fc7
SHA1 fde121488130739de6e63386d4c09008a533c019
SHA256 585315100306858b19a34af6741637d6b2a4f4a92f01447f8ff39fbda7fba864
SHA512 40b327e82b3bc98dc5353bd24ab014af71ce5e9fbddfd338b4b20aaf62fd66aec98d7d37b2a89f6af322478f5791b956008f10bf4e9c65bb647cd3a3c2020bac

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 c06f37ee112545418810f5406587f236
SHA1 331dbcc4e14610bfa46a3ee52a166faf57dba564
SHA256 49c30c1349f13f8c26f86a317d1757221f39840544ce94153596a82499b7f24e
SHA512 290f2aa66016916ec9fc9f8b712582ee7ba6fa278510ccf08c0be49a8bb2bb1cae7fa90d434a9481e09e5e90786121af10f8acbf30c1ec60866c21cc2df853da

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 45cf132fc60ccb29c3619f7fb5080a2f
SHA1 ab5cebf2dc9f42e692913919f9999bcb2de90a5f
SHA256 6f17a41172d7a3909cb252efdabf73d7e96bc3c2e0d0b1dd134f05062973d13b
SHA512 ec8397b516f0343ecba290303c271b7be383ba2a0abbc0d9a1fa17f472cc9be02e9899a30427f9e4ec00b75831bb375282e23afc6ce9277ee248dd3631f62312

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 5cff7d33926dd37094b082f4b5e26eb2
SHA1 8bdf60c7c36a06b5b3c873bf07ed20cdb37b8fc0
SHA256 d1e00543d43d6c19f25b1e0f88cbb9a2b27bad9f4d1dd12f8d2137888f18ec7a
SHA512 e1394ef671a0e0f5b07cb133e8c5db662f11277af917e767466a90dc891dd7e4d0dc5231dbc23550958d3c3ffa7498b99d34bdec5dd5d7c216b40996304f7c6a

C:\Program Files\7-Zip\7z.dll.tmp

MD5 ba34ad381af0a500b7078947635b8d44
SHA1 0a10dd5527f60d0ef1bcc0a7c30dda079c6d63a5
SHA256 ba4f307574431562cbb68493d96df590677d70823afb04d1d235cf12c4747fd2
SHA512 5e05c37d5f8d650fae7bf8aa63dec72f3a9c9ce25993f3a72d53a8c6ae2254db2e1576c7f191b8e239741e376c4eb0413d4382b7e900b33f6e6fd24d50f02754

C:\Program Files\7-Zip\7z.exe.tmp

MD5 a8d81b3858b7372fe0b91df2ccfbd760
SHA1 28a2539601d799487e90fdd5a69b49e78283e9e3
SHA256 d709bdd49f7d47218adb28a5399d9f8acca01e4dd6b6f34f6a1743a8c4edff28
SHA512 3b4bb42a792eb9230f48a8a835063885f4172b3a47331eeb95d01106e46bbccd9834a308574764fed57b98812f60bc01e562fbe0ca669d51445925e9b5fd6a17

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 3274e5ce678da26cf806de21b3be019f
SHA1 63e3dac69b5c9b215142b7c708918278079614ec
SHA256 232a31e66ab7a9bce3abcf045061fdd73c06a7590301778dac6a766ee97dda98
SHA512 024f154e359b0c7f11bcf0113e7ae19f09bc61c7b7fc61f210752be463ea689424f25342b5ef8b36d25b4be145ecc90b2875b6fd8538ce3d2023f7e4f878de99

C:\Program Files\7-Zip\descript.ion.tmp

MD5 acbb9a568a6121ead33b62e816b326a5
SHA1 94814ed199b20e6ffb1ba00ffa823c862065eeeb
SHA256 3f930671d2cf5e19ac5e13761ce953dd45465fc7072640794b7e8336a5bf9ba1
SHA512 17070d662ce512f4fbece9a5ef8729c9547e5cb3ab7ab644b30ae7c605ddbff966a27d1c41e8f0513b4d414dec3e308ecb460ced1f063899e5f702dc110a5624

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 be1435a7029526d52ea7511f16f1d9d1
SHA1 c9a994869a68498e11bfb9db4781fbf62c7e2bbe
SHA256 c9a13d5bc7031b03c6ae0b2e4f2039134d9089f25118f5dad75ea017586bd8ff
SHA512 9693c7b214a224d6a82304eac994d799a17f8dbd2489d66050f871a74bae4983529cfb4b9fbd68f916f2709ade568b2a60a39796800173bcb828c6396a771f3f

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 0e49f5dca2b934bbaea4f6c5d93cbf9e
SHA1 dfc549e908c778c5f058b6d95e500c0e9c7dfd19
SHA256 f52fb6087f0d8134a312efb40b616f89b0c450757f093d89e9d05d5dc73cc352
SHA512 5dcae16b384c57f700106b5c77e8d7d92015dbf321844ff38330ee47fee9f73930818601c97850d158982a026ff7b7e8ef75d46d88d6dfd85f78168d0362fa63

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 d68bccd63f647119bc72ea60340d1e85
SHA1 bace32651b199fb8a8c30574f01070278dc06698
SHA256 7345266cdbbfa5bbca5a09b1b99888f7e8936eca483466efb4dccbc5024243dc
SHA512 17d87d1817e51ccf6355aa30f7d99e90f63763a843f0c9800882a9572b47c09e6fa67dc174acdb734aaf86fde310a1df4ba611643c147ec701e4b0d07b262a15

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 179d19570b6d5a31240504b8d3318dd9
SHA1 b43f0485a8f7ef7920a9846644d16a018a8b1799
SHA256 3dcbb8d09f6c3ce8074e41ab6131777b4a9e4e96c208b9ae6917714ac04ebf65
SHA512 3158ad95d3334d07d3e0dbe7faf3a1cdcf14688f720d7a318f196e0e0da85218f4b4c3fbb6f27781fd980ad6b5b8b9c2f6bdc386ee5ae18e085204f72549c24a

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 4cb5add70b9b192d894f23244b35cf5c
SHA1 a5e83e88e2c667340b153a4ea486faf1bf0d9a24
SHA256 2e9a86070cc0495fce0534457c14ddea9e4ac2469b79a900cce3451af195fe0c
SHA512 57fad6ab1da0b35207c1c561940011966d789fcf387281336eff5ac480f58f1d009db72131e338880a97864244fce8c8b41b4f8949e7f8ecb0e975d598424292

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 cd97a3b397bec027ebdd1d04c1a05c30
SHA1 f53bca5286962109adcdc7a7c47ee2b31db57f5a
SHA256 70a242749e9500a5f0c692887f9f82e818db28f6ecbe977829b239feb943df25
SHA512 d61af8511f3aac64abb7c18a0fb5454ce1ae3f885f6796668df17af39151e6dfea417733255124b73e69009369812e4557e1ec77affd4d7aa3bebd20c447c120

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 66b3433bc208a152ad35cf74c1cdadea
SHA1 d7dcf04d7d09d8a9d172f955969347df77308139
SHA256 bba95b3c87c4991a25796c49a7f4007fa21921972a679a4bb9331fec131ea6f7
SHA512 b7349f0651c4f6749738b64d2dc6a30a3c11d94eebc831f87c43484ac42c8c8ea007043c30b2f60246e7c2cde1e65f46d80fae76de2ad9ad3b2cdf97a89087bd

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 ca59cace3cdf3253e6a21371c46102f7
SHA1 5c84e52e4ef74e18a095b05acc078d77fcc87111
SHA256 2c5321b0fe0d89363a1b4a8488a255f4d9102092f3f6ce4febac811710fe73e9
SHA512 77a1c6d0284b3f4b368d5f87152d3e2b9482e02751556a174f882f14312e8524f79eb91e843ea66609df2627f53bca7beb383266fdbc280e25374e0fd7e1e68d

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 aadffdbd268d8d69bf00a7f1fd93dcc5
SHA1 4242d00d3a9d38a2f0fd51035dd3e9902c6e5f6c
SHA256 21a31c8e4a518af201bae2bc40b5d7c01963ab04892c149109b15fa4278241eb
SHA512 1820b3e5b8416edb40e8884a4ec0f38ecb29e1a98382150e7302ca20e1636b9a4b1ae91f154469b37ce09463c54ee0ff83c21e21b1986a5828c16519e034d792

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 1e2be4942e25e314d1ea1682960dd6df
SHA1 2706d9d6147f510e8e2d44c80961d6a7d6c9ceb5
SHA256 720c6ca1b7eb9b99ba9e6c459809a3fa209b7641f1f65b2f84f6cb5402a57294
SHA512 3903838e82fc849b83ff14ae6a992b9545f62b6d794807117222263b55ebac86053d9ec345093eddf569fb3581f49dcee31721ba46933c05f56040b0ab336f9b

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 66221e689a6360aa90d0f4a714d09abb
SHA1 4f14f1641b3d70664eec26e37cb0a548c3a6bf6b
SHA256 c8cd700439d825104e35168377b4af97dcbdf0546358334d7ee137c39646d9a2
SHA512 c2d354b4a7efd7decf78cfb0815884d73ee23f625a2f531076b829d53a8ae371f5091871829da3db58968ca1126f76c0a0d52ead9e2e56579c2c610a0b4affb8

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 2c6922c136c7c322d889a719ba439a3d
SHA1 0f1fbe582429f32c5fbf118888e3ac2726999648
SHA256 0bc1689c71b3d50fe28b229044b2f9aef4919481389527726a9c6ca4183e6258
SHA512 81855e24d82f9c6fd4b4689c194e78f229cff76e8564df9db0cd1e72c0f644a4b35127d418a277d00ff406e711349fb8cc7535af24c82051da3c07544c01c3c1

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 9ec61ed5dcedf517ce7560022059d24b
SHA1 0b08221d22c263e8caf57bdf0c06dcf3471a8e2c
SHA256 c10da64c5a8a1e48230e87619b98bcce5a30ef8c28ffcf02d6b5acebec9a80aa
SHA512 a512c8440b6ba680bf8efd4ff33dcc0040593ff0508354dfebe2ae0e9ceba82deb656abf571d381f59fb2d22f54cfb46d0b80ebc77a7455a93564dde689bb54e

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 c449a9f547d57278cec357f8321f75d3
SHA1 3ce6a1dc16b2dfa4d2ebe822f15861b2f80bde94
SHA256 c19f6fab882ef30db6e0e7e1f0f811f1a8df0ce0956cceddac196af3c58e2090
SHA512 1628818fa3ed1befbe844861ef8c9349a1bbb624f49ec5b5a1fc99d2d0910f071a23a22e8d0ef132caed7588c5b7b62363e98101e1de0578cfc810f8c34b5dae

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 f44b5ce7eb65c38e01fd341509244fd5
SHA1 377bab839c2dc908b6f7482419edd36f00e18572
SHA256 021a93308581d4e9c127bd7c53c9ef6db925c531d043c0af0f57318f15355e8b
SHA512 163c53501c65a9db6e592fde871a7f8789ccaddab9f618955d87709447bc56654345689f835a7fe9ec5e271ac57eeacdcd24557179b67bb8d6a9295f047f8e87

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 5496f10b190cd60ced916b596e5d3650
SHA1 9bf4c52ee13c3e99bcf0e40bc8ee27fcdec6037f
SHA256 f758338cdbef0047e5cba4b5d2e75b722e8cf5e7491d943080b86f961e2506dc
SHA512 9d0561e4f3ec17ca8d9d2c68bea1af7286424263ff3e6da76e295e78a9b280088d1d12bac86937879fbe4555544050169827774cae1d731484468887daddac76

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 e7070171168297a949cb11e136323238
SHA1 a68aa6f48ca576a0f400819300e101bc02e1b03b
SHA256 6a592f2e7449069e4de57422a3616d2d6379383f0620cf946c421845950f0e77
SHA512 7cc783c2374b816f0c09d22018607ed829a8f81a2358b8b71d6f67dc38565d96c4c1bd4c254b22503c22f4c875d4a00aff1702358b0728c341b33ebf3f6232e9

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 1e93f01cbc5edefcfe73ed50c31b6a55
SHA1 1a0bee6cc418c71840276178cc74d8850b2a74eb
SHA256 65970def9a32177315ddb09c01ca9a02e86f8abb3b94598242225f5039f70cb3
SHA512 9fa9667cf2dafc3cd08357e89e6ed6a6810948ab039c0301a16632e9849737d55cd85f60636956e457a6c4a7751a4ac6b15081c1297d64a00a203262ba9b2bc7

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 6728bccac45334595982589ce20e09bf
SHA1 5ae455f2db82ea9c1cb9686beefea8acbef8fd13
SHA256 b90ff0b53c75a01cf83957048fec7dc772e6a4b91a31313282cdb3c9978cb183
SHA512 149abcbc4262e26672044f4456f6869ccb351d87f194037bf0e25af822661b1637e0be2f486ed5ba97ba7310537427be275fbdf947f747d8933f89a5136b24ee

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 6c8819927aeb86793bde7016ba5cb16f
SHA1 b2c624eb672b3b2cf6286fadb58eb964955e936b
SHA256 6eaa4e7c6c716f0e542d2e598a66af58330744217e603363534668267a475905
SHA512 607065e6fe6c5dce95bb2f38c3de9ca5fd28ed76bb32cabf7df0b28a40d7218cb27e80b278271a41dfda1990bfa83c38c4b0dbd841b764ad49897db423133afb

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 8b2d37559150472930af78b1d8b0a668
SHA1 1ea962413a0c626dffc1178fe7968a21b6d9ac32
SHA256 75f3f9085fd6267fc2d66573f6b695bb24cb511fefbc3c71c826f7baa70ec938
SHA512 98047702eb79c712e40329a569ac8be1bb6fd0f6ae5a6870cb38581742d05af49294a97ea423518b552a0e3dfa4f8b02abdc46115c3ebcf20b8237158028fda6

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 53c5232a307a84344d8cc4d1a5e47738
SHA1 19c9f7e2dd1f69b7f9c1acb33c19dcfae2db2a48
SHA256 4254ad42746f794033814120e8659add8797acf0cf5c1311d55f7dbdabe66628
SHA512 d5b056492e82450bf47e539e8203d0d30fdfc830b3f1da67ca3539c4945200b398e79cbe81cdf54f1d4e27736e2e5c8832d6bdb4cb83affd31bcaebd1f36466f

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 f4d2c7401b236bc084c09ed4e8d5d697
SHA1 8665c7a49341a5e4a6316a160b59c80fe62483de
SHA256 c7b6eefc7bac161eeb50136b390b8b3bb674d9fb27f50470aa7c0b672bd0bdfe
SHA512 7d885045c448ab99edaf6f91b5cbd01096261ce410330c9c7365f76e4962364c493422528df288ca885f94f06ba872d172f56189f37ecca186ce08e3dfd557bb

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 bed0739331bc52bab0910341caacbfc3
SHA1 dd8e0842ea72043829ddb0729138676fcc14f2e5
SHA256 125f54df4325cdce0b8b9e6a698fd1ac4723e6c6b5b65ad10c0357ac4fc1b553
SHA512 5ec08b2532d66849de47313bf4a41453fd542e641584580c6480a05fdf658389ab9681a318878a48fcb398da62f88a484d1d1ca224fa9572b3592d035e93a675

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 555355dfb3cf9df9583ca10d368dc553
SHA1 fbbdf99f826bf774d47b1b867790f88ef28f46ef
SHA256 f45f52535e3ddadbeb050ef444ce4d384861bede2f61d59ca60a6cbaa65e5c05
SHA512 16dfcff0585ecf958bf7fcfb3dd34871b4629683ed9b40a0a1ad043ef11f6fe0e62d5f473978b61c7fd55c5291845dd703a4e4b065d7c03413d42f36f91892be

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 18f6d2846b8a3779617f6a2d7530ec35
SHA1 cc79112d0e362c7bdc21309cd889c588bac8e816
SHA256 e7af1366526c57c32bc6b0fee9032a0cedc4bd2f7cfd970da44a15a548daf696
SHA512 ca48d3a9e0043612e4242ae5197857bacc4a072638dc80984f9713d9a61f0dca47040047669293a3104ea13b140412ea83047a2c31798701ee7029839338e8d2

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 beada1b14bf5a878691bbe6dd12cf787
SHA1 cf2984ff39020b9b40071c24594a2d42c1843b4a
SHA256 ccbd29930e23b04c8844c3fd05db8416481623d35be3a24e48f5f9efc8581d26
SHA512 433fcc2376c98d6b450850a403a73c8926932fe536563d4a996369b2f85cbaf64c00cf056d0b8b0a9bb9a3832d0c5d3e84dcc0b6e1362c0b4083ce182099a7c1

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 a8e7d88a3a435a7134dfb885fa2e7747
SHA1 93f26cac5668bfb1ec464abcd409489007a281bd
SHA256 1b56711c2dc22ddffdbac445cc02b7f29de62efbb14ce4cba6383b15312fe189
SHA512 aee8afc2d2d4e325704bd2a265d7de0a0e8ae027d9a38b1a3fe621bc3dbed47cd125d43c2fd96e73a578de082e69bd69fa7caee9bfd41c2adb9670e06cfe2b24

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 9b2c7ceb9aac44b8aa494fab50981cab
SHA1 5386d367ff85f7b413b50021d225350ca48040bd
SHA256 c42ca3e568507bcbeda86d573e65dd726417778504591aa600986951b68adc1a
SHA512 88ded9b7dc6b1dbaf6787e497246fe7df931c80c2c52ffaf791fe8e4ba52664245ab22ad3f701996684cebfd45df3dcc20bf65b14b2aa46f3c5c7ed0b5354085

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 0ce3c5e0a748de35fc668b23be09c8e0
SHA1 addf32d5f37b079189d00dd491ff960025e616fc
SHA256 5f99053240053be31e526815fc4366f528d25e00a16d6311f504eb0b6fe36aba
SHA512 f0c5d371868ba2e42770c812b7cf9cfa8bfa96ee4f8e2a22b4c962aa914c2e227aa2e28180460a99ddd15103081465c42800d4f61440082262fd3e827014b9a9

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 391285d392e941f1d46eb03da5efac7e
SHA1 91ad106d1f41d0b7c89598dca559513648ab014b
SHA256 dee2ef66fc692c4e814b3f31aab600519c95b9310c6367b3d313b4fdad705f9f
SHA512 26c276fe1ef0cf5f21a3de264c1812730a25317f4200cc86f5f5e9abde7429b2542c8103451d18e7efd4f1f2930d4f48c4dd9a6470d7045d93e3543680b21d63

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 cb62633effed641b8b5d7b64c142940b
SHA1 4eed74a3da4e6d3cdc22f76f08d84c7b912c4543
SHA256 e0a7572b2f8be2f5dd5111fbf48817d92ccaaf54330130cda197dfd81a116541
SHA512 7299a548a8b653cc1c710bcfe4cc5c51a427b30b2787520e640d170acedb893f0f1a42787b77b50be3551f35f6a0dae7f902957c11ba37e6cfdc9d9411f591fb

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 d2e12a1c22e94a22e24a8cdd12cf6ca4
SHA1 87482f30ddd1beae176c7d693b70a24c8adcf277
SHA256 0b01d810b582a897988d628d4769aaa5350df1d2294abd4231c97ffb8ffdd9b0
SHA512 3bd92a28520eb8f6bdb9c3c6551a0fff2be27ab10a86a864285b48f740837e398f1f0ab589da20a1198ec2d0169f53fc773e5d5914ec2075bd34b080547fa827

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 8301dfa8263608f5ec31e7a314497278
SHA1 f6dbe77892172e607ac2d5c9bd3a222c24c2103d
SHA256 62161a3777bc4da910544a0bb7785646bfdb6ef010f6feba838751a49fe436ba
SHA512 8f0368c6ea99bf4a692d88ef5286fd6af6f3c4b845d7a23be87de99ced9f6f6a85d103d75a24a80d69ff4411607382ed895806ac6ac8c4b62546818fcd17832f

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 be2ee12d62228a80eebc4068ccd0a159
SHA1 7264813f69c001052b28ea503566d8a25defe195
SHA256 396e08d23dde1560686f85d2d24aae2c1294a7eba6fffc5acb8ac7c84bffb03b
SHA512 647384cb1cfb646a311ba3f2d96f8973b6f444a1462857e16db6c97a862846737313c33f47bfbcc13dd2ba64eb4e243da57eb4702896b96c06e989fc9954f980

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 0357495dba7cdc1ff3bd74e3a72b28b0
SHA1 c6bfc4ef82f586e95669e505a4492987cef8f978
SHA256 cd755e900ac5601aebcdb2e6f488da61f2d113d10bf0bd6a7bf46c92d9f4ca3a
SHA512 b17eadeac0a7cea5bcf4a26112706fa6b588653506e869b8168d62d1dd37ef2217db0e497b8729562e7fbb8848261ab0bfdb04733b637b0ff87579501dadc717

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 adc4e1cf866a99555a2cfbaf9fbbcb61
SHA1 ad157db27a17f43847d76795cd42787a151a16a1
SHA256 b5c16eb1dad621586afead6a80653286905933007db2a84034ceb29969a4dc4d
SHA512 086abc33f63f224a4660f3b399a1ffe3ab4251e0f4ec25ea2291dc4fb4ddad784d30427cd7a47271ccd8d3280802ce91976d186aa8d2851080b490bc1002b346

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 59c65830d1a093797a75a46083628542
SHA1 f113f3ca9c55402db7394d3103ad6341e9061b30
SHA256 30aa24ae9fc594b7ef32a79de8ccdaca41066cc526fc4fbca4ac2bc96aad3f0c
SHA512 0251e95ee1fa0820d0ef8602a96f9f8ffa90a99cc57591be356438a3badfefc6b5ab1e3eb6ec7c899d266f6f7655fde13fe2187f95b83a659327b77bba5ca353

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 df885fbc5d8b0e6757d967940249152a
SHA1 9789fd52a75e3c97e6ee8227ff8d5895a597f4b2
SHA256 61c477656584ee985071bbc6a1c59445498f4295d0b6a1d68300795722e8191c
SHA512 ccdfe20d3b18f792f87f1fc610dadca82a3216d64531c172adb9f25b952fe24e6d97426da3eb8114caf71499c7ce7d37077f69f188cdeb88a3ea607d5ce4fb20

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 119a58f31efeb360ecfec798459a3a7e
SHA1 896ff7a05e635e76e292ae70e2e6b9c95b06c03a
SHA256 b0a9aa32fde67ae23d7cddb18677bccfc22a6f985c32a168ec4004448960a372
SHA512 96062d4faf9f45d574e335660fc74c6bd7e61cfed0e483531373408a76c9513452b00e8eea669f9fe899b165bc520a4b55136f5fb2562a23e3b5828190ce1c87

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 d2bf1d0cbe44bd23154bc84d47d2b521
SHA1 5a8a8ad6aa5d322ecf496a72ac2b74cf6d3291f2
SHA256 0eedeee1d5cbcce6e0c6156a9f3a3e8adff331453d89ca3df365e59cd87ab382
SHA512 8e0e8905e69b2d0b91be4c0d5acd697767986f160fda6c903930ab7d728512789277bfe7a5ce3cca600f4f75b620c43f560db3eaea443116d28e7bdb548eea2d

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 d1eda994a56a0cf0f7dbd019ded59e35
SHA1 60721c017a0b820a99012e81396c5c4af5b4af2e
SHA256 b475a5b678dd83db93946c14de05f9ed44e46c88d31838300d7673008f2f3249
SHA512 82a504cea3bff4945544ad283d10e4e830451ec9399aa9952441df31ef79101f692ef21dda15ff34fd49d7de2fb4364c4e7b0f956ba71bccbc019eb778acd858

C:\Program Files\7-Zip\Lang\sq.txt.tmp

MD5 08773f10f45998c43b4d6802f3283361
SHA1 176035c4a9f2098e0864ff091e7a10bb3f848124
SHA256 943b18d7eab1a39b779567951fc1617650f02511e9a882b49acec5b0c912075b
SHA512 bd4b4e0175c55f991db480e27db379f225414308616f99a66db4d330d1a0e52d1abf4460091ee338b6cccb5a7844b780e4a34d5ec2d7534d162a97751888040f

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 74a1d926ab57c665bae0bcb4bc715629
SHA1 2e35e643008b625b3f292d51433db66aa88a152a
SHA256 26b966d0615d07363bb16c19e92b6eeb793e8bc53b06a0ef8747d2a2f42b1e01
SHA512 2e8c10b827b4dfa029947cb3f36e3b0d6fb9437de189cda9c308570b8b196db7703810686c851c6a0a7ae6e63363f5c8528a06bdca62dfc60460470cb5860f23

C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp

MD5 be67cdc50d6a4fe91a478333cdec92c0
SHA1 82c671aff5c010516712ef3be910e0d1fc0a6d42
SHA256 818230c98c710cd6ae0cfc2840e13800a3d56b0eba41db562358382b6e7a4d37
SHA512 5396f5aa553c22dc6c00d235737a7c608345ff28ee22e4aff02e02def7d8f22a06424ecb296d51b005db2f3d919accd7fc34b95dcfbff10349a3dacb39d741ee

C:\Program Files\7-Zip\Lang\sw.txt.tmp

MD5 c05ec1a2a5afba0285f2efbc8d951e32
SHA1 50031f813a6a3fa2386606351928fe1504eea3ad
SHA256 267ff9502756aa80e7aed94567497f4ca0119dd5195f971acf460c6f5b37c8ec
SHA512 4d3e2e6a27954becaca4e44571ac64c6a638d4ee7cc33b3bfe08eb374db1586f09f73562aba051eff462c08db0f67613b648e4760ccedaf05ce7b279936af3b6

C:\Program Files\7-Zip\Lang\th.txt.tmp

MD5 3c80f4414c4b79a289b13c9037a59d0f
SHA1 d6c5b5f1e30a2beb7dcf0c2845e9ff665c91000e
SHA256 09791459a36185a9eecc1c1f32b4440354cfc2cc36300c0320b242aa89533acf
SHA512 b7f98c1d7dab03b187206ce3e2fdb668cad2fdce9d509518100711b76b82927482a408a5f18f517d77445bec870c4787731a6dad5aa0e9a0de461ea81e75e88d

C:\Program Files\7-Zip\Lang\tk.txt.tmp

MD5 15806589e17b01f73cdc8d1467dd195d
SHA1 7635928617698b474f039a90a3b1f05897bbfa80
SHA256 519fb28ef4f149d3e1c5f58cf043b8a33bd8bd9af667903675acb9bd4bd40967
SHA512 8cb95bd24caa073adec89369a357ab7d0cf65ebec938de52621d1b8a705455079f28a8120e41dcacc30598f6f7c413a767ebe323122cc634176d4d55875355ed

memory/2216-659-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp

MD5 b9d2ba683f29d7bcdcc2e3db2b7fa88b
SHA1 69f8435b07906f7be8f38769f2c5579645ed72a3
SHA256 3839e9c5d4d9edd79af9487eb2facb05af5db93b340d8bbcd277759d50be9087
SHA512 7e73d27513dbbd09c06e798e58d0b61b1d9fec45b90e9d67bc3d6653e60ed9d41f37b448fe2212f97717a0e8190618e584b881584eafd2487d91e59acaa5c6c3