Malware Analysis Report

2025-08-05 15:05

Sample ID 250519-qz9z7sypy5
Target b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55
SHA256 b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55

Threat Level: Likely malicious

The file b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5071) files with added filename extension

Renames multiple (5069) files with added filename extension

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 13:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 13:43

Reported

2025-05-19 13:45

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe"

Signatures

Renames multiple (5069) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.SecureString.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe

"C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe"

C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe

"_WER50FF.tmp.WERInternalMetadata.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
GB 2.18.27.95:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 427fd26319d4c05b3fcb710dda2a823b
SHA1 79e02b426e90b262df9bb609a7636103d87300b7
SHA256 edd8c56e8873c2dada71e91a0796660a9531668446b78f3c27e2d02bdea2591e
SHA512 090697f766156bafd083b536549eef6f8f3c02aa94412d483b038d72c86c45f1878fb6005e5b71e06f4618f4a294273a39a66579f7ec49e5b5b2f03ec23f7972

C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe

MD5 fc71616586a80b851a8a2fe67673112f
SHA1 788385f677439b4698f67d32ffec238e20424ccc
SHA256 9f78ef953a0b8398fe70a174de5db61e7559d39d27bac1d26ba4f2775ebc6b29
SHA512 ce8a3fc86361d95c944b4bc66ef2dec77457cda63ae8dbdcec2fa514c9bc7eac64eaa931e42ce3e59bdb607631e178adac9fb7f2d62dc12f29885472137f82a3

C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini.tmp

MD5 1223fde9d50a93a8c288d029f30fe673
SHA1 31fb4d684cbadcd64a8a07defe6f4de5ad3bfc8d
SHA256 61f108c3f0f5383bb3a38568a9fea97ea7e1c2b50da124760cf0fb05138cc9cb
SHA512 44945e59656b3e0691cb7cbad2dd639c6039e72ffd578d185a5a5700a62f8e87122c5cfcb90c8fa26676e61d15d312bb491c2541658900f64c58745b58230ab8

C:\45d4727fe1d3935727d71a951161\2010_x86.log.html.tmp

MD5 92ab37529fddf76167e3bbd1d163bb5a
SHA1 eee6b60f14aa5f09ed81ac5a800fb4085a31890e
SHA256 051464961173763e46c12ee3f7590d7bfd104aedf8b4eb70c9a3af040c8e4c4c
SHA512 a5681cec649920625699aa7f1d18900adf68b5d5710898f6db62471524f17fc0c794b6f98aff6bc21b1c696a99ccab5a481434a896d6e701b4143616f824941c

C:\8e056885788215100b95f8050bba49\2010_x64.log.html.tmp

MD5 4768040bc96624bd8f9b9a9ebc2ebfe6
SHA1 0fd144de30f3484aa6eee61a6b4c48c2b3e0391a
SHA256 f84d529650dee7df7acecb615fe73d382b7cef4d1afb02b246b57b25d5c6f944
SHA512 650590996cdd99f1fa63cf28b09fe62c96a4829cea79e195a48793fc3b3a3182dfff7ef4cdaad7ac6d303909268669d69e773fc3601ae5b3e48dd7724d6b0dd7

C:\8e056885788215100b95f8050bba49\2010_x64.log.html.tmp

MD5 1ea4a36c0be2b8d173e5bdc7c74524cb
SHA1 0f65cdc072b0ff6327d0ca327f93d862278d119b
SHA256 43d065b639ff1a08ada2868569eec69c6fd046ad5fd0900f9a4bf9621b60e2b7
SHA512 942b9911888eafcf68851ffb053acb31e142f811417236484d3956b751ee8881e3869e8dd46d775e1e364dcc0d1038273b4628882b6e8b09ab60d582ad371d4f

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 84947394c437d7c8e11de9833798c42a
SHA1 9debc2872db1585f527f2cd4610d7bfd721dec7b
SHA256 0973e2eef5055da53cb17c1f3222e3065ab287328feb5d6b0cfafcd6cdac446d
SHA512 3c5f43177663281c6c04a6465b169eed53a1b1d55184b346271924370d3f359115b8e21139bb08a3c6b740c86da99c14d806a05706efd0e305b3a5ca98130e72

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2fac26986996946e8eb0967db0fc80d2
SHA1 114f808aa00cf98b2b50cf9b10d97e3e31c56d8a
SHA256 0470b77ec5e3ab47cf9054853ba84cbaff8be554663152c1b5234efbe36b4b39
SHA512 596c22817e4d7d38008957033133f5964aad1836343ac0e9a75493d325236a97d32cfb6bc75ccff3885e53ef9ce7a8d91238cf62f6be92024f6dda5d4dff9cb0

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 47b4652dee71dc4f30c9b3d7fbede36f
SHA1 aa8d6a21d1c0bc4517833ceaa64b1637679261c3
SHA256 cfdcae57fed6d70aef0d0b407118d135f0b70b59642af5efb71cd32024cc5b34
SHA512 0c6c5499d346d859ded5ce07808e4477c2389e6b1eb273527c2a7c044e39d8dcc2c7e38721b7984a6808e30b44e51ddf1eaba7bf731dedde8bd646d712b125df

C:\Program Files\7-Zip\7z.exe.tmp

MD5 d5e7433ce3eb291d99be2dad7fae5bd6
SHA1 ecc5c241e98a336014601b7c84ace15a6bf51b9d
SHA256 2d7397042e302a3778dec135aa7547b122ba550d8021a3ec874524e69f6cf6f7
SHA512 819355ffdc6b892b970e8c5585c888524bd17e257578c001d6873733772a93c001783b5667c0a2a9b8126c7a86ed7ef4c78df85d24476bbee241eaf11ef3c6d1

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 35f48064bc3d38600b98187b05abb2eb
SHA1 0ae62a4a4c01bef7159e5c7251c6dc2523e96536
SHA256 0a23fafb2853b4e0eeb1b9ce8542b0900871566815b4dd79ed4a74b6b71edd79
SHA512 5f8788d16f500a3a0294ddba7c338e3892e2689c4f19e3ed7ce4725a4637c7a8e65fcddfac94412000f816c7e89bbecf288856b2d97d1d04f258afdf8f55397e

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 0ec3d08370e609a9a07bdba124500b5f
SHA1 e9960acf83942274c6d1f35408a8e07c841b2aeb
SHA256 03353d2e66da3c6cd8a7b9d8432fc522db88cd39de2deb8d04b8eef05ee18f76
SHA512 38b9936084c482e8b721f588a9f632ae1732730b16ebab6d7d88ade72816782721d8ae11e9030f29b52ce25f385f4c3ed9f11af518605e4c6892a28e26c5d803

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 fdc6efb672c3c0814ba9b999e986c16b
SHA1 0282b13f1d8d728d91ffb0e09be279ca0b291d81
SHA256 c66a2920f8b20a916b9188f3160d35c680dae1784c8752d782ccacce7d674300
SHA512 939f6aa9dc092034ae7b78985a7e205c2be169b7524986cb4824fcc1d6cb21902f0fbb553a32ba86e55d1a776ac2331dcd571b7ea078a38e8959eaf5e00dba13

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 eebcbe612bd5ebc9c10cb477252387e9
SHA1 ab4ee428cf87ad2a56d68a52eca8d06eaef26b74
SHA256 e29a1983199eab1d043012888126d42df7483e1bc9ee43d01fdda91d7331f7fd
SHA512 55c59e1fd9e2a3e6e273955d71eb16dfd8895716a29903ff4585b1af151ee4e353d9d5671476453dbefa41c58eff32e8727899ea4d98970adc9661887d31a1c6

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 8a924e52f4233ed3b64e6316358a80a5
SHA1 3918344e1e7af85271220d2d96300d15229e7b6e
SHA256 c159e500093828cdea80092f0cc0700818f002eaebbb64b7c9adb0d1931a3fc2
SHA512 e8135f72fc9371907624ff84c5e46bfb3410ed8a3150135b4773de7ea24c91d3b82f5e47895804619716ae333afe0d6ca5a4fc961db39190ada2e8cf867ff7e5

C:\Program Files\7-Zip\descript.ion.tmp

MD5 398d73c3e4f0c2b07905d9fc801155ed
SHA1 46054caef34c42d5998526c007e07036a9ff8a15
SHA256 e7b8e17bf68796067167bdb2f3873addc7a8cb476bbd0a5b354df84b5deda73a
SHA512 21201082439720b17332d00dac28f0f69ccff736a624f708afc6fca0d7d3544749afab6bbe9ca19d254494aa3698e9c9b452f361b1d62e2a676c1c18f48851ec

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 a49bd14f4495d92de81a85ef4d7ade93
SHA1 684c6dbdfc35a5cc890701bca6be43fbefc688a2
SHA256 3819ae4074e6e8fbd2c03d6726477340298655db3525e4d4c64551121eebc377
SHA512 48204ec991ed494117d75ad6444eef2665e54bf9f6f92c7747e5abffdfbb3b3e31eefc32584ac1e935bed1a84b05b1b992446413f894f51a1495c07a2d706015

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 c9adc1f7258657f6c2e2509651c6f04f
SHA1 69e2c78bb75ef3f99fa0fea5852249dcacf887d4
SHA256 fbebe806f2e65fc8eebce7b30824441f26c9cfb59654f6e01e4c40c059b1bce4
SHA512 7b8323b9c1494dc2f1719c08e3f04adb08ed1115f66fb273b5fc9449732413157e318d88c3c3bf7dfaff8646cec2e12590038ad83f8da84123daaf3bcf71e82b

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 aae45b45563647a6861ef147d957933e
SHA1 3177ec98167e9a1b664e242a21975044593ed639
SHA256 b6394bebfff3f9b9fb139b077dbfc2924035dbbe402934fb4cb115d10be1023c
SHA512 fac66d07f6f439fab6aeb529fb31d169708a441a03e81bb1800e5b3999db72c9b17f2be08ad3b72fef092e0cbdbc0ab0cbe4a5de0151e8e5173e85d7cfd20a87

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 8fa6ac5a0725c2bb56aa7533af8360e9
SHA1 20ff25be0b0cd5a45f96bb591ceaa3e4bafbd867
SHA256 ef25348982b27909c16e967d307b25a8c9fd2a3aa554c5bd10ce83a0bf66f7e8
SHA512 2c5d6c2a4f01ca30aa3e9296b4351785383e045505197c2e6c7f96b2f8f612efed7ec911f6aa74e127b77f6568856d8c5577e37620f10a1d4e102aa5b43782b6

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 3721fdd9366b9231702ef9985c77fc1c
SHA1 58127611418a120f688bef1490a03c91aabf8777
SHA256 b8987e22502b27ce0e9ae26a12c3fd3c95294573ba447062fefa797d9418b008
SHA512 30878a639f343621f927139c09caa63f90e153b5e8e21005f1fc4768332917c63f06f346aba372d39f7bae91102e27bbc482c0db41162a119e11837549f51b20

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 2763ec01c5d28440c85921c7bdd6e43e
SHA1 ad5abead1397a967558b654f4a7807b842ed9ca4
SHA256 0cc47ece910832d83fdbbc056c67095be59b1f7d421d3f957501828b66e6cad8
SHA512 9ccdb2c3508ddab00b81f5ba5fd2dc5c8cc9e636853098469bb025473a54ec82f2adc7e51feebf952d430ee662d591c4c0b260d973620c4928a56d620ffadc6a

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 84000b3aa2690ddff57b635b8c0dc737
SHA1 7b4aea32940a95a1be9036008c9d054e86514fe0
SHA256 149257db2e87f3ff54f22f1faeb82fc8b5d6dee1d3b37a8fdc412f7cbfd266e2
SHA512 4f8f67c7d7e917046b62e7d27114d10ae401310065fa188340454bf431119798897356e5eb7b71b63bf683d1b8e290f6c0c6fff9f73af68be7913464c4769149

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 3e044809cb128a72af14fbc0ef60d05b
SHA1 fa32c372335a5ed20888001563d37ce446630107
SHA256 79e815475942a1e20d7ecc156b934a54ed16e59bb64020826719f85ee3358a5c
SHA512 30b8a7f23be5184d3ace06683ae3006354d0c29906c90f7b7f221267446b2662349551f4d50353cbbe683fa7a3f572b39307ef012ea7a5eec471ef33ba7edeb9

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 56c4b88c4f4c1cc53297bc75a728e81b
SHA1 1cdbc20c08c9651136bf21878684a16cef49d7a7
SHA256 4008b0e05bfc4927e9b6541599c799103628116ba86aa31d86fe7edd8e10117e
SHA512 3465ff6788cb45049826d3ec153eaf6d5b48b9c68292b8bcad35aad97ac4b9d727db27ae80dc0b60a1026e28003156a8a6aa587c51ef03795b6162a89db426a2

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 d08e3cc872104e5ff0a7665589de4afe
SHA1 871d0aceb916ac564901a84f307b53ccf4f38246
SHA256 28734037864f6a6bc957fba6cd702b861ba30ba2a87cdfcf1cd88c1ad11626de
SHA512 48be6f0ec527895c86371edddf052486343c299a79706e181b91e70d148b089c5e7f6ec95399b6a95fb958e7c967ad0812ea4935495efa331d241fd895c90d22

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 9954030b9bb4eb1c8629fbcdab1e3665
SHA1 4a164bc60c8445a0dc8e90a946dd9c7e12a3c64a
SHA256 633d1ce288786f81bed16938970f0af313dd4661319b822cd9b174a94289bf51
SHA512 78c947f0acd086ee65a0b3a13c7e652ae875481d13dbe5acf1172b64f4f3156b763a0aff67a005541f2bea0fdba87aecf930383cbff276354aa8016da313eb5e

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 f68b47ddc65a063ba28f26522e8dc7ed
SHA1 514470503b47c74fdeae1ad61378601cc70f721a
SHA256 7af536a7ff9fde00f18be64029b4fa13c955d53a4d905da18be5ae29909a8441
SHA512 c99e9ef0b78a79e09e116346fed3fbfe0bb8d4bfd0ec5eb69fa9f5cd733fd77e0c708025bedf5440c194a3962cb2a391007ae813898a697579773df12620675e

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 51bd47949e723d42f86da0f2f837b7f4
SHA1 3f9e96bf4a4b692458d871ec790a89c055964197
SHA256 984e986450e14a501c26d0081e72bed5ccf80bea3f7de4a68b332a299f35b5e5
SHA512 f4998cfdb81800e20dba59573d3d4a959a30e3e50da68674dc2449a58b6447d8cc08c80a0e9330dd54f6bef75beb52a5eaa7b32daba14203d35712cb66d43040

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 77639a16920cafc1420c87c2d3c3641d
SHA1 831ad6b0f585aee50896ceca984f69677b743a44
SHA256 53a230914da6bba17a8ec80f70378a8b4fca2c7d8e74531578b575a6acc063cb
SHA512 7004a11af2039133a0b33f989c92217636b651dcc8170a6b3ccf1ec9d93296d7cf617cbcaf7fc54bec41bcb434f188a41b10948c0640c4119c5d06828650cf62

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 6910e6dd8cc2a34a57f94d5b6dcdee01
SHA1 8897365b6ca8003ed68f30b42035cd97acb41822
SHA256 1adabd065965bbab6b79d520c70bb7ff4c467131e952270bedc47145fc8bc9c7
SHA512 dd9897816ef469562e271ca7b408b3879f4005ee3eb6b9db4fb5366ab7f58c686483dcc7b57535de3ae287dc690bbd11b38147a5a52cf873ee05830c03ee7a93

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 0b1262076938ade2c2a749e16823004e
SHA1 b4464b5ce62e63af4ef52dab46d16833aaf637fd
SHA256 a0b7021f866f1786cb6267cc5c3eef8171f9bb16f17c5fa91dd79b37eafec32a
SHA512 946f7e9a1df5e72c026b792cb0ccf2de31000465de75c5b0953932bd6656b79ab7f6ee66e3e067852eac8b7bd5477b7d543da4ae36502404c5271ba31d670d07

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 8a1661f32b1f8f7125a2fb32fc8979cd
SHA1 80dfd2bd10c42aa5cc8d60a4e6e876643a9061ac
SHA256 7b9d9752c937d28a2311307677b9253adc46bbc68cabcaedc2ea56c97ec6d263
SHA512 2fda8943ed179f918b6ddb672788cde51026ccbb6f3a5dc88175bf54760150d89a17f83904e2c3b0c5e1d896e61d22502afa301ca99fd8aeeaf1fca3ea288ddd

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 4f3379c21516f94cdfa6f7a9848d687e
SHA1 517a9f1f9a292baae9aeec0b414357db94286271
SHA256 affce1f4f377078d4f7c0eb3b927d39f1faf9dd57a57d45e3044577d6ea0e10f
SHA512 229624ad0d1a9afc7c18f005a7b0b0d1063620eced32b279fd8a79697d8fd9f309aac0c68451aff9324da818d0cbcbc12f826fdc250bb99fb326262b3cd93e56

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 0bc94a1bad1fd8edadecd231b6b04585
SHA1 f0f7ab07f57ee12ce834fd8f1ee085f88a24594b
SHA256 b37c7e65f7775f4db2c3566f36762465e8ec4c84be6894987962dd118895ad9a
SHA512 b1fd61722b18ffe572620bdca028f0fc63979c5f08f2d46a2e48829c032ffb3da8031d9966c10cba7ba90a476e642370d710d7a7ccdc9c48b092dc9f567b333b

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 416687540df9632f93ffd8f2e93b4eda
SHA1 8391d115fccff18151c62fee26a63b17add30c98
SHA256 156958835c9f0236abaef7e27eb23eb7ddcd74551b28d61257db670d7c6ebe4a
SHA512 8782f46f5d84344c8e2a2479f02e4e2fdb355970efef0a887a0f1fd61030a20f5bab84290ededbd981bc1cc103ece0f186122eed955862ec5ec567284a911f60

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 e1a5688022efffc1f1ec97352fa93057
SHA1 6a6ae6d0373660c3e571256263f3bdbb6aa09d1e
SHA256 8b5688775dfe6de265a831e0bd807882df0f362c6d7aae619843d7d6bc24f6f3
SHA512 5ccb03868eccc0c48df1b47f30f929eb58860a042fe6de5ac9c600c18bdde13d3f23731661f4a3e0ae70929cc6ccaae7d26a3d81329fcf7f3887fc5166c72af3

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 6e06192e1305739e51151fd01518df69
SHA1 1a8a00479539345e5e0fa2e7d466a2f5c8e55017
SHA256 02f758db8abc0caff16309f87771297e4542b713b7a12cb9f2e304246c3343f2
SHA512 902f068fd1477ff3ff4de91be9f7a422d5f8d4c8174b93db17e6f6bc1212d159db82599ca8c709490957d65af533ee1afe12b66ef43e1d758a0f631f855af6eb

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 ccc3aef28b25024b93259c69694f12b2
SHA1 1a376c3873853874366d2469d57bf339a410e587
SHA256 13eb8a0d378730394d7656077241ad214b96b5b69573698badcaa0db1d31f554
SHA512 f467c837d22e36b500d990380c2c89adadbd218f8002fbc61949e45c940b42d8598be3c02217c76825524771e683229ba73645ae0e0a6ad11ba0f27f96a46906

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 87cc35074004854a54a2164715fc2414
SHA1 553c80b9b5bd4f15c31a79f036d27ab550f3f633
SHA256 e781e447a15619e2721b3d20115d272f6fb6bd75b889e7ba73cac15b39289373
SHA512 dff1f3fc6f67c27e69b373fc4ed45355ef2d878cd6675db802568cd1091e35aa71a25544ffd66789a243f17380170d9bf3a80241c8cc920d21a47d35afbad45b

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 44db5c80012e0da97aa397be8a3bbaa7
SHA1 ba1e84d108e038616218f44d236395b39c29cde2
SHA256 d9188629d8f7d325777fc0c499bbba7da06aa215a33162fdda0e28f3c04ed793
SHA512 ba5f9cfdab76188f2dc6fc23b83e899550ccd87c2951a0ceea93c1602c2b85e9b730ac45c3e3d3f649be169e4cae6d9d617ea15fcc2c3ed24b01eade3b483a53

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 728a8954dfcbdd02b26249e5a556b1e8
SHA1 1e293dd82e2337aa9b2070c8d0ff84cc349403c9
SHA256 86ecdacb2887a0ba3e68de43fb3f58c98eef92621ced8733f4b414c8bac8cd00
SHA512 852d7fd23f1d40b18dfda7601dfcbf19d76e982c8cffc62db01befc61a5d6e589c99a8df0001bde1a4c13e9a42d5fc018c0b2767b1d8d9020911580fe9645452

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 1f6cc3a698e4a19c2fee9dd96f9b1892
SHA1 da83e36ee7ac82781635a92805b736122faeeaf5
SHA256 62899c659c0d26b9da3932e814d8f7b42601fc0fad3b374343516f05dace0f43
SHA512 b9583d3403abcc761b32e61bb4ca38695f79956edcf55aeb89c20acacb1f8addc1ef2570d6988ac43d49759b4c34d368eb5d1e98dd48bc1d9b20c53e539b14d3

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 17d98de3c4e498df114ee72648bc83fe
SHA1 ebb65c71dbffbabd1a31065bc770f807bf0850a5
SHA256 cdf7adc4fcbed2502990e1fc137fb53ba08602644c01f68c6622551dd6b96f81
SHA512 7e319040fe67639259c6d301607fa08b5282ef83985fb7d443d451476353c2ca045e56d478903a0c31a3329a33e4537bbbf0407a0e2c56b9cdabf2a2ad1923da

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 48513d1dc96fa29041fc4ed62257dfc8
SHA1 2eaef233076427ca3a3e63730237f12b0fcd33fe
SHA256 00332581758231a4bbff54b3e423e0c10e9488197ec777c9cd6e56709f108e37
SHA512 c6ce55b9207681565cd875c0a7f12c34f3ec2f8e643839a0210738634c603caa5dcee5a55892a38a847846aeec842db25ae6b82e052b84d80e6b61d55969f5a1

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 2e6f2ef2ab8bf888626a9b1133418ad7
SHA1 b7be3f932e028cd44f1e063cbfa76c3053fe7cb0
SHA256 844762773a4e67dc69c7e1a9d432c8efb4313da6e236e027f61b9760b10c6d2f
SHA512 1a66092ee554d9f88c4ab4a0db8b3eebe4b9bfe874cab91f6033620af1d5bc87ea25363f89a4faab6541b1d47e44bf3e56c2ae41b2d1b06fd796c7fb91e97bf4

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 50f05cea972f4fca69f348e9104f9346
SHA1 2a9614cbe8b7e0c3ad139da4ffdbd51b5c227dd0
SHA256 349d1a328b0959f0c03048b81f080d8dd31eb892d415c1e3a9465c5bef1f4efd
SHA512 3dd2cd763fa8d840b732931259b2446dbef3ea28d8ec32f59abc191f191a53eb5f1be52bf5572128e0eefc2730ac0a1f49396a9bdc366e6c71a9bf64f6d713e3

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 f3fe23294d1d5060abe45d069fa62640
SHA1 842c6a23f7a1dea019511182eee13858d36c0e86
SHA256 6d20cf27e1ec5f2e582a8cd77d47b35b5e40b59ab02f25fae9c3591c0f1b1ee8
SHA512 09a8344c12098ee2f7e74e4184070331cef1fe111bcbc567d4859076828a30232cfac83999c8875d02bcbded2c2cf7a499c71c0c35020494bce7a7e78bf2a8a2

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 fc8abde42f6af4e1e6ba8cc8e0379851
SHA1 212ffe1e6a2f68eea2a542670c7bf3909f222828
SHA256 cb4b78609a20c23992a0c935f3e6991f86a9c35eb321341199c0da6a9012a628
SHA512 87e98d612aac555705e543e4a55752b21573e66ffdde4372ec4aeb07f1b6938174b60ad5ed6830a0c77386747d67f887eff48f9a29a5b83adb5f279f0dc4073b

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 8bac83fb0fdb6820ba6885304a208738
SHA1 2facb72b01a5f0782ff66b5854021f47f28f62b2
SHA256 f1a0866173db4007bdb05d6c2c81a4c1ed1b74295930e186d69656e429a6e9d0
SHA512 2a809ebdad742a10687e362a2bbb53e8395458a3651a20af74e605f793e89cb882e43186f5e29d6dbd32d38602ce5f9f0437a440b217fbf4da47881f67e85d3a

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 8c65b95b2873013899450fc0cdee21e6
SHA1 aceded2099a2ff3915120280fc128362c7ea8ce0
SHA256 7920df31c2ebec671f6076b5882845fee50a7af7cb6490223cffc328242d1d35
SHA512 0a80e7cfa69efafdc1ab1d658cead7b7505f4771f9c00d095874de38877b985d89d4931d10d9c072ecd3e2674d1b447092fea5eeede877adc4c15b42d7943cd6

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 f5cd2d28693659218e0719acd8de2880
SHA1 55e282fc7be1ccb92f204fd922d1f6e0f191f4d3
SHA256 d619d69e32e7c03d2101d101a40acfc668d1aecf23811f5d85641e3b31499ec8
SHA512 e178c67c646cb93b70fa4525093c01b645eae721f902a136eb6612375db0d61ceb395e9f38a95c1b4789b906f06a7ef3cf7a160607e1e448efdd3baeae28ccf0

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 1b3f81b5ed4102761351d2a35b8d6f4c
SHA1 ab1ae31ca698baf4051fabc7d1f909bba4c500e8
SHA256 356d3cedf613742061e3a41d75715b400fa023029b3d5c7abeedf7307ba7c717
SHA512 4a65ec5aed8ac32b966b9f69bf1d8e94f6dcc2d4c4da6c31283b02db360ee759cf02c517dfdd6eae2cd7d72a7cf46e79eff95e20825e561e1e0ae1911d340080

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 951e7545774392c099402fe6aaa9d06a
SHA1 05d9d3f61d04586935a9689f5c8a0efdf6505a47
SHA256 f75178bf5f6fdf1264203dbb00a759895c609ca727fdc3275b7e046d63bfd47f
SHA512 994866df42b120c0ca17a745eef955f329764a8d5368356db0c2d72f066bb84d1fe866d22e9e707639d1bb439be12a22b2eba1cb953bcb8333e2eb9d1b2310e8

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 3e1f002dac96dbb3d321f4c03482033d
SHA1 31871c5a41ae896aca8731d4e714789d96f3d53b
SHA256 7f01e410270b4fa19947ffe977c99c958d829d2fa577fded495a2800d1d5da9a
SHA512 bc90368e139cd4d0e2537bff6177e466aff5f16152f23cbc5ae7599dfc2afd63d99472261ac8736e2d55fb7528c1cfd87574fc6a4c01b733ed6d562ddb01db1b

memory/384-1204-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp

MD5 98a9763f73368cbd5093ec2a10e632f0
SHA1 47c5517fef56ef100d47f5a98d7a4f55a314e372
SHA256 70084866fe0e76e973eebc15b280431a6b652341c09fa29c187d0f88449dceb2
SHA512 b45ea5c492506edd9e3d15306462cb5d68732b7e5f1a17e74b60d81306c2d860302a11a7d7b95b1697789401b97288f2dd3189925cbaa6e1810b7c47cd13c9f9

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 13:43

Reported

2025-05-19 13:45

Platform

win11-20250508-en

Max time kernel

149s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe"

Signatures

Renames multiple (5071) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe

"C:\Users\Admin\AppData\Local\Temp\b1d7f211c28ed65af25d260cf470d13d934bff8de966b5cf6fc5a1264165bd55.exe"

C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe

"_WER50FF.tmp.WERInternalMetadata.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 427fd26319d4c05b3fcb710dda2a823b
SHA1 79e02b426e90b262df9bb609a7636103d87300b7
SHA256 edd8c56e8873c2dada71e91a0796660a9531668446b78f3c27e2d02bdea2591e
SHA512 090697f766156bafd083b536549eef6f8f3c02aa94412d483b038d72c86c45f1878fb6005e5b71e06f4618f4a294273a39a66579f7ec49e5b5b2f03ec23f7972

C:\Users\Admin\AppData\Local\Temp\_WER50FF.tmp.WERInternalMetadata.xml.exe

MD5 fc71616586a80b851a8a2fe67673112f
SHA1 788385f677439b4698f67d32ffec238e20424ccc
SHA256 9f78ef953a0b8398fe70a174de5db61e7559d39d27bac1d26ba4f2775ebc6b29
SHA512 ce8a3fc86361d95c944b4bc66ef2dec77457cda63ae8dbdcec2fa514c9bc7eac64eaa931e42ce3e59bdb607631e178adac9fb7f2d62dc12f29885472137f82a3

C:\$Recycle.Bin\S-1-5-21-3687046934-3833731302-526866946-1000\desktop.ini.tmp

MD5 9d7d5df5c3cd5ef688550e46124cb9ee
SHA1 261f197011ff9a7b7a620caefef07e54bccad826
SHA256 d09572063090b23f6095d49f8da2aff357101aa8e5d30a10fa523bf41bb879b9
SHA512 f53df7c2c29d4aeb8e8bf4dd14996492e2bdade0e058478c8d5e91290ad5d6bfd309c43d9d4f54b40c406802822f73bffc42d6f318b9d6bbb0ddc759545445d7

C:\7f2c1f990969606d04ca7856f32ddf00\2010_x64.log.html.tmp

MD5 5c6f13e4e650292556172fca5807d6cd
SHA1 7e12b06387a2f1ec60ef24eed52c06100ea2e8be
SHA256 ecaed5349b4625ee9a196ff8fbeffb4ee5d58658ee79f06caffadd16e59c2b3b
SHA512 68eac6553193bc68bd3f022b2e7e0b5b7e1583f14ec3e3ec2023cbb870389d288a2a61d90364761aa3f93594fcd813a0fad43e8cdc1808bae6325890de588fe9

C:\b9147e4cea9b95b6635d\2010_x86.log.html.tmp

MD5 5625c7f0afe31b68fca569347188ccc3
SHA1 1122592c373a93ba28ff4e11478b58a132ed1774
SHA256 8ddaa7ad592834d815023cc458a64bb606b9e31eadd0fa519e14243ca9b373a6
SHA512 ae70b345ba9ed917bf4d3fd8fa51385cfeac8b69b6c5b877487cba244a36b3fdf216f85059a3a3dfba6350b79882ec78593b53e0d36bdce14c45813c5ded6848

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 245396f9280b6eacdc7bec1c39209bb9
SHA1 c415962b41d265101cbf7c5679833f1cac1b6bc1
SHA256 889cb5ab58df95dd7882a1cbd00bd45b05dcec81d15d302e787c89dfa32d4540
SHA512 2248e683f48ce6b16374cc4812d66b5a6cc2cab1fca5879990d29a96ab6a442ce485ff7452943277e7b74022237865123ed793b8755031f0f60eca459263e509

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 73b705e9a9354b8fbb8f8116cdb9ce6d
SHA1 60017cd12110b4a388dac3fad448c0aacc3a091d
SHA256 8a9975c0e585099157e72069a79600752ed5a66f85a78cdfca02f462c5b66ada
SHA512 3c3f9b0e3ca4b9e0e4c38da0150b6a9b1cb09457a334a611e09a6c7e80682c8482a4e0a9c9364beb034f163890d78d64ee88d229cb1a3a460dff3e692c7f0084

C:\Program Files\7-Zip\7z.dll.tmp

MD5 047958f20df6a2ab41f142fe2e7e476f
SHA1 461d192e35e5709511a64bc07a614843e995d287
SHA256 36eda35be5f5d25ce24301f8252c2c93e07c15a8ab324876f6cac0b1e02d2c2d
SHA512 dad48d43346d2fcadf623d7b169c82d03f12d34237597935ea86c5c4da6840585c27264e43cbd38f60645abab040c47133070752422737f33814670f2d272947

C:\Program Files\7-Zip\7z.exe.tmp

MD5 8f7ddde77e1c5096a3047a2e8471d22f
SHA1 9c5aa1611cbb75719604bd9d01e8f43791999490
SHA256 69deaefd5b39738be4452664e5c74466c69152b2698f2f286a92f1445722ff11
SHA512 47c6842847709ae07899772df38a3b07001f5655b6a30aa0429a75874433ef5f40b0d722d6820c23a9fe8d19201a09ebb048259ddfef3b18480df1a017a5fa3e

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 f7de0d20a966377b877fb10839455c79
SHA1 630f4c2c9c66620ab7ea0488c190f2bc04f30d1c
SHA256 e636dffffd80e2620a57debba81b1c0eee00346c01f138e76da8145e6fe92d0e
SHA512 57845bf1c66f128eb1f883d71b0a4f49e8212f61e459da4784463ebb97fd30a831e54e99967b633f27ff95117e2b96e91d6d8282b7c9c8565c7006ec8c690145

C:\Program Files\7-Zip\7zG.exe

MD5 8f13e4a5956936dd8d35115bd2ded36f
SHA1 98f2eac667083bbfb58ab1248f9841b66c1994eb
SHA256 8484795170a62b732319299bb31c978a0828524c091ff5b499795079a3daf944
SHA512 025bbb38c1ac8725fb704ec5de836b2ea32a96098b65439ec6bdda96fd6b8a5b93138358afb76296b13ebc050acce1fd8e47eeec54ac2f2d88fb8de1a86e00c4

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 79ca85eeed6af4ab9622b370db8938ff
SHA1 f27c1c7a316867509cd6c2f1cb3534cc52cee2af
SHA256 1b6e23c387a188d2bf80707ec3fea1251f2b35fc70c2fe03b24940d088d32dc0
SHA512 9a326377dc002d189c12ef361421cea5fde4152d691d37ff6e4d0d9113b51713e247c83a25aee981c31ad8bb1533b1f1848502f0c832185b8a179ddc11b6d8be

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 e180c65a8c6fa5c2958a828eb01134d4
SHA1 f6fd8ce20f673a81e25c5cb3adb97c2b2f48e5aa
SHA256 afd307dc6d20ff3bb186bec31252f3673f6fb93d0d7dc6029e5ccc5f7dc1e81f
SHA512 40ef3c28d95e57a09cf0e0af604c236df4d4edbf13175dd192f6749d6142d8cd5afd0d853a7f10b0359a9ba30f869279a9b80e9e0908156bb20597426c179c7e

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 9a7106464365a86bf67d2a736a2bf6b1
SHA1 448a2ed441260147dbe02b94913832ffcc671fc3
SHA256 12e60bccce18d57f8a1517bb297e17ebdbb3d8eb3075a34e18b1c9ecc778cc0d
SHA512 b382bb02bd45eebd95863db3b713a95de4bcdf44a4b70ddd33c1c7e536a88cb9e2a923c6ea8ee68c5ce8868f9de916e03d31c6387728759e187a10d95eec14e0

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 e28a4840d773560bed329a3888317d87
SHA1 a4fc847fe79fba94a838bc584cd1b87f6eb785bb
SHA256 013b0b935d6713198d6a9dd016f478d0b51aa54a4e1bde4407e2edada36d9fc5
SHA512 1837c2d2419b1dff3e7b60c30766463d74953fd5d22dcf01faacc3acdc7c0d644997c8fabc5dadcbc304fb929b7c00d9df306b23a4264cc330be7b76b4f3484e

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 a76d7f234c4571d6aeeb65391e9ac837
SHA1 4608239fc6a61c43d4e58b7317da939ad00e867a
SHA256 070148df143d8309befe3c7fe739afa5d1c1c9984aabe306c2ba4667312a1e26
SHA512 d476b4c4f118b2dde2464fcb59a43c428bf518650b88917bafbc61f2419a7d4208269929209b9440a55c3f1b456d4919396a75bc6830cd834af551369c1e9830

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 cd58dcac2b555302375703835c8e037a
SHA1 88a8a76dba1fe1807e5ba6604b1d5db1663d394e
SHA256 437bf37bde63396af181aa14a9d28a725a89cdd9120e30f2c50ce6255caa3f47
SHA512 1279288fb7ad6a64eeb1a942fd732100db6263f1c163bd460b27a17442f600dfc9d868fe7f9bfea8d090fe53675308a7f156ed9e289267faa0e09f651ce79408

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 3194e0af4a295363511aa54536db48fd
SHA1 8006647f147a59a0d895cd35226dad424fc093d7
SHA256 bd1fce4e9848f7c90a6b9a557037971d05c526be0e4a7d24acf8ecd5d8c2dc02
SHA512 d01abb0d0b8ff8faa047d9e954044ccf1a3c62643093ae2b90e5098c311c7e8e0a043d43a6ded319f954dec4b345127ad40354a847e8dfbb7ba37ef6e6100b89

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 f527b192aaa9d4dfa467d20f9948aec5
SHA1 d1697f915d2214bbc3bffd9c5ff3928609ef637d
SHA256 6a8d36e47a54baee1a4b1fea7b4211d2a29ccc3d170a4ae6c012f497287fea72
SHA512 d79dbb55e6d23053f590eb88549909e5b85edb60eb4c4a4d95501678d698a3468760f4d63caad863f5e43010c02d4bcaf68bed31a50db45f3c276538a4f65859

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 28e657f9e56ef92d077b63ca1659fe3a
SHA1 a931d5c8651a85472cba3b0362141c850afa0b97
SHA256 e4b5c8420164c15b78513694dbfecdae3100ad770f0c089471628f6f3a50c405
SHA512 5bdef6a3f1ee0c9ec6187aabaf2682359b6a6b50f7217a9f4301c022c006c38859075e6774f76a24f26e92c642928515e03a7e4a7a3276e2b118bee584a47ca1

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 de5d2fe9fb11dd944cccce7ed9312e7c
SHA1 2a2f2f9fbd3ceb496b21c13ca3428f19bed6ac6f
SHA256 67d486893c3c61656da73e66c69daa24333c014060a79b73040a942766a90653
SHA512 35829bbf439ffa8f6ef4149f4062b12daf64dbbc4541f714c31ff7a350e23602d4c894ee4e8c904ecb2463063d7c9911fb9824c22fe8c782571da50fc230f1e1

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 55caebbcbe99bb56df4fe14f4b582186
SHA1 ad2cb43739f72519760dad47e03eb6d8a072fe92
SHA256 afbd69da24f9adef9303671eff77ae30449620df330d7b2b6c40338c1c847597
SHA512 3722e8fd96b3b068f45a212e92cd5e7c9a35fe42864c4f41af0f4be993cf71f60f94c72cf9c214c668bd4243100b603e9ede0d0072c0bca0a1a4e1953ea04353

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 d21c7642525bc00fb36eb59453b853db
SHA1 d9d27d27855b5eb634a70364571c2b70ba9aca40
SHA256 541517c223b85dc808fe14421057a40bb704438a7d05caaac1bc0d1dedfcca4f
SHA512 75008bf820be0f3082e77204fb81979e066e4884fe81564e7b5fed463d4499746cb8db72eb058a0c8ec9eb3a7bd224a708091bdcc9093269ae2ef208a0362ab3

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 a31b5e5d830c48b61ffb97cc4a8a0118
SHA1 82b5a530e2a3f9fcec29efc531e3d47df6205561
SHA256 af24bbee0f80847a4de69575d55595895dea0f05cd91e4ae4c6c8b3b224f5ab8
SHA512 25f2eac9039a4dce806e01b5ad6c90b5d8536ce24d51b29201d44a92a769b622f832b5f115b3a4b346289c1f59ff4df078daa97e31a1341288ffbf9db09836ce

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 c984c62236d8414befda2c2bae8cd2d5
SHA1 c846f02496e84621d5ec5121fc09a70824afe733
SHA256 c76d1784d8c5e8afe3ce09c3d47f57869d6abcaccc94e215dd971c266f6458da
SHA512 e7aeb7aad88175a2273e3e433a5accbc928885a1d77d653c9c1da48cc41e11a42abcff7ec2742f33f437cfb2eb29725afcf7b47d80e7586eda59828afa936016

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 79576bcbaa487346e04f970b7ad63e7a
SHA1 e018ef979b60b0e12abcda770699d7efe159aa80
SHA256 a2f25ff48557a57eae0c18763891d6f9b3306f19a017906d313f96811f1a71cc
SHA512 2a2caf8445a92e448205d9b3c05d28f2e4a98bf26e50323a04e8bfa69cbbf3e8c76219827f284300c739a9833642039e31dce71bd93a3a7e39b3d602eed8506c

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 c0cb43d12ef5c5e318a88634c0681400
SHA1 042c67c9a475ff2996668870434113bf91418419
SHA256 dd7ab250ca691b1cc5234c24048ace183dbec5acd872367a3767ada74d7b9976
SHA512 9dd6fe267c6a9cdc60be04d0f68916bbc8926f4a57931eec17fae87d8365a88eb329cff9b395480f8b14cd16bbbe5d54ccc54147062188e9d361f0bf9a032541

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 8375155f0c6d8c5ef09d66fbac57c273
SHA1 07f0d1905cbde86e57d2ed82e0e648ab3c7fdad9
SHA256 a76dab1a0e0c54a89d522d475796c7ae216b41d38427a29942eb508c40d0c31d
SHA512 bc9e4e2fa0eaf92848910665e26632d47059bfd12dac498ef7470620a18990665a1e84dd61d8331063a704dd15ef41432b6569b83a85d5371125d210a8cdd843

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 984b1cec9bd6a6b361ff93cb9b07a0dd
SHA1 567d079682e8a8171f242d07d229bb14f3445ffa
SHA256 b031a675d33dd979a2a6505b76f2477feb7a7a1045e3c2b90742397d6a99b852
SHA512 bd4f56281b61abf949dfcf80efa7631a3a7486edffbb864f5ef0880b74faeedf594a73a121ddb7fe8edd1e50ab6f2874ef53ebce84d9eb261e1730dcdd37754a

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 a75ab3337589ea481eee0a9a44f26a44
SHA1 aced0981c32b3776e8894f0c81ba2e2ee3c8f343
SHA256 bf90178cfa5aad9d6493d75a74656893d4dd3d382520445ceaec2df58c70ab58
SHA512 00a2a2edd5bc576b45fea36765b695a27576a884d5f61cfefe81a97ce357ce32e55bb54bc63aad0d76704b4495cf7299c9fe09a9818e74f7c403b0486697cfb2

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 67ca8f05d27752f1ed106f41e60e50bc
SHA1 4272461a4b3a014d4cffb9186c489852cbcc986b
SHA256 e528e906835547150a8bf9eb409df3705b20dad2ab5e8ae2c85741139d2dfff2
SHA512 29ba1b93a0c9ea84054b3d5e5f957cfa44a04e314644d3ac37a4e4c8ac0eab282a1619f64937947a0e3bb4de3ed10f32872d08947fb9ad73383c159bfe164c35

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 9a5e7ca0ef0a432e387e3a902279800d
SHA1 66064073f5be34c18ad31bafa7960bcdfb7091ac
SHA256 b9ff25c927bb22cd13c2b8dfa44f51a36f44ba99b35e206d9edefb7fe8d190ae
SHA512 334d20b4736bd736b4139b3b7804053c3d82573caad0b67a98ef2808df73f1337effe02f01765aa0631263b640979f0ead564360236ecbb9354a7fe654de1413

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 889724c34fbadc47a9b8bcf52dcfd11f
SHA1 a5e381170ce23e71b5badbd8e41797732d53a8e9
SHA256 2c31b4ab260cf23ba3d37f1c5aa1b6c2c3be707d70cb5611544a03bed4c41085
SHA512 f990948f0a8d4eefa56ab0d84e87b7595895090237d86dec2ce20382f431c24387c0d2afdf9a4882b86137db71f7270119cbfad28bdc26ef8a8cd057d81d21ef

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 e64927d4b62c2fa849e04959f3958c72
SHA1 c1be2be5a04da6e89413569e5a3a4337af60c7bf
SHA256 27f2f7a9b4989fee1f4b8e9474969bf2ab69a87e614a445a8e221ba463e71190
SHA512 f777f6203116568983008997410218c7b704c5cee9591165cba805f2d34564ce835766202788422e8a4915443e79883b4b74a5b407dae0941001b30ec9a5a6b4

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 dd808ce7410e2928ffc8e84327d04c10
SHA1 d15d2cda38d7f9bd78ef3cdcbefd31bb0f5a495c
SHA256 99bc83916264650804920f490e7d4c4115d389234708d55eae2e16957bfa0ddc
SHA512 5580d438ba22201efc858a6a6f9928bdb165b32aed3595b95878925b2d906f10f8665a579f6b861db082ae04144cf2de7036b9c79ff6d13eb00dcb792aeaef59

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ab210d740bfae26e7260a0fd4a2e0d14
SHA1 64fdf715ae95b3c09cb79626de2f0544d95a8af4
SHA256 af65d2092d027399779d9d447b7e248666b0acf1680ce67f76d0ede75f5caa52
SHA512 c7b02dbe42f522b040f329266f11bb84f159ece1c4c15125c81d744d93bbe5f1a894e64a0fee4a8cbde82b3fe6fa5144d3acad1baa1dba3c80fcbdc7a98d0ac2

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 e24e6f8d904fc4dcbaf412ece27864fb
SHA1 c3b971816c67967aea796a0b578abc7d159f18d1
SHA256 b4462f69ccd81ada4f53a71ef51d2a8545f5ca1c668d1c69a495ad22295c1b5d
SHA512 c73567cea477eddb39ebacad8f01b89b1831578ad9e037965fe4c6fd79cde17132a14400b7c9a76907d3add104076a20c121b422a89e3f5b36a71f1540015463

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 524a8a45240828767e59e33e2c84bf3e
SHA1 b31597c9bac5420194cd2cfabf42da935e47979f
SHA256 f41012fa766282610f311677ec697c736a0a4111b0326421e4dd35d1e827adbb
SHA512 b3bb2e8e967bf7eca33d36e181200a7d26bd40e9191a4217cfc6399bee9854cd668d1c0fadb7119cb58abbb02edf105ef70b057ff78403f491110b9e139f77bd

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 b599c0cc1cf254446401dfb0a4549311
SHA1 9955d54c96d5b1cafac8c890a283150af7fe22eb
SHA256 cd553f04ac29034f64b235b18ae200f1d719cd39c03e2427e3b492c3d95402be
SHA512 31bc61345cf0cbd59ef71d2285e8550fd189d574fe8676d75b55529d2ef61c58066361b7157693742d148b0ae3f95191fdf43500b44c1b2f79f010a93dc958a7

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 c079ef80d03c71b74114e6776877fc0f
SHA1 e7af51599777cfe11d52e7b33efc497696833f93
SHA256 c1a56a16481d7adc079ee20449fb4875214cbab85ca3a81a1a796b1f7ae3f25f
SHA512 48277f062c52dd929473a8f872f2da60419215f608b503f6570d0a163b14a02985ee1144f411f88b899f086fbdf63011e6ff960f140996cebd1438e098dca78a

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 dc2ea2e3f83a74e19eaeb5a864caa707
SHA1 645491ee9a7504a464ba47d32dbb84005e623099
SHA256 0e3e514ad1fa7821f6bdbf76d636b3dab5621673465c79fc0828817f9fb17b0a
SHA512 45d3252691c0d98b25a1f40919c180ceb0832b83804bb70eaeb1a8d6465a6d01767369506fab18b34dc4b10e025bef41281cccba7c97ddf807b9565d0e71868e

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 4d1230fb7cb4a6535cf9e9a19d8fe9a9
SHA1 2e5c7f36c3dfab399c87313c72905c40c034be1d
SHA256 39498479b6e359f33ee4537fa2c1f06e6b04526d5223801bd92882e3f29acc1f
SHA512 25cde648810a2d27ea656b7f4d32be64716ee9b3783f7047e31348d28d711683f00dac6bc99ec55d3b46016125370e56fe7774a5598a3a4b0161dfeb5b8ad6df

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 3d93e3c2ddb9b8183eeafcaae31d8cfd
SHA1 674adf8d7138090c3651ca69200cdbd8e1af1fbb
SHA256 17e13e916a5c0fbaf2b00c6af108683f6151084ee6a6c538d1ecedc73f56b1fd
SHA512 a52bd7fc072996ea13893d248fe4626abcacce5b5aac5498f792d832bf85c2b711eaffe006f5865716e29b968dc5220883f45a86ab48c2a8985c6ce9d8684363

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 1343c2a2043fc65e8110a4a1146b482e
SHA1 5023e458751365c5e7019932e32e1332a925a9a6
SHA256 17674a2488ef838d773110ac1498c65894708b6c2ee3fb1fbd54b24a76bfaaa6
SHA512 26f59077ec817618b2c7e5f74de2c99cdc84d68adc094fe390f9b0536c90828b05128194cd5a23c65e26623ad1a18c4dc61b65509287a00c05c1e1fdfa3c204e

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 6dc5c35913e4b96a76ed87962023b401
SHA1 1f7645297a43d20816db7947ff36ca51a9767902
SHA256 a499ff14b4f96d3be3947b6501be5b15437574c2391b4634a573d7dd8ca6aa18
SHA512 27e8df6c3f56a67416d06f3e1dac7ad2e0788c0b51bce67d931186fbbcb067602bca5ffd34101d617da6a175c0c69efd365c7feec61dd428af6c004bc8f1ef92

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 0ef511d35ac9a6a1e11d3ea8291f0d12
SHA1 74f2242ad39de00455f11d08091d27fd3336739c
SHA256 f8a1262963dd069d24c013c2bd4b07c89ca78818788226e10de5f7c7006b12f0
SHA512 307b60d982651b821370737e516bf087cd3f560890ea3d67e62dff9260b8b9d5d1e0089e2c6c8a9d063ac5a579ca825e012d94bf7e549f9c2df69c7a7332a20a

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 0834e05f35f4cb727be8051f4d4a2ea9
SHA1 25b99cf1975afee0635a0b80e92ee4c6631cfafd
SHA256 13a9e092750fe87f0cfb7f51217363824fd9622be1a1c5097ccd0ff8382edd6d
SHA512 f4a0332134aeac38422a52d425026dab7036ce76b31bd0cadef6c7fa206709c813840cba4fcadd3f7761b288b8f610fa75ff2dd1093d2bf2953e72aadee94460

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 bb80a74f5c7249e4585a55acfac13ff8
SHA1 23abc84061887238a78f3465c941673311835231
SHA256 87b25894dada6d71a495554ac949635c2018fbd81c86c8daf362cf52f0cb2809
SHA512 3154bdf0a12149c2bd9849c46dae8bad5ae49703f60eeea4d53f9ab7b40ef632bb1f8ccb5d12ba9dd6a4a5a7a76e5f94c4b2938748a4703f96cc621a90b4e214

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 bff3038fd45c151bddefbafef333be9e
SHA1 86c3b59cb716cb5f5e2cdd461d68f8f905d222ca
SHA256 30431f4eb4f48de76f5ea46b38565d444004709a845cff0b9f04dfe513ea0cc5
SHA512 2a620dc46e69f6ec645c9783983a6cbb4dc04f4941a7df599aa7cd6cd544da2255c7d54dfddb8d9fdb9018d84854d8053040d3dc673950b7a34e7ab3668010c8

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 c8a4d334b6878093d6564bfd78e16ad0
SHA1 bc56496f6d2113e20cd055d8b27600881628d2f6
SHA256 2853316b3f6bcc1fb91989f54a81f8ef158ff4f93f6f4eaf90ab30779c570a85
SHA512 2e580f3c6e9f39bac66ec67a4aceae9b11618fe206d950545f48a08bd6782075b9c6f0e5dbdb19ff150971ce2246044374fdef6ea99cf87288e6a732777c4ac4

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 1c1d4f3843914faad4879a05e3581dc2
SHA1 c48bfa08fa7a9b9fe5a91210491843426f940c0d
SHA256 ebf72f6f02c5b2ff1d9948890a65c0d4492b53550d87b34bdfa4fd670e8d85ea
SHA512 2d64782e1cd923d5ccb533932079029474b27dba063d8a8f5a32b6700753984dbb7ef958b4f2142ebb0a9d9746c6c805b91178f8788af0d2208c199dea38be9c

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 d32b0ff3da846db5ad1233d6cc6f958e
SHA1 008ea074ae2bc308015735825874a83a837fa12a
SHA256 a4664f6f759597f14ad0c0475a8093a8a1e25a0a1324fe562c29cf64857dbee4
SHA512 2280c2bbd8690e771926741b96bd793679b6ef1e7b66dba2ac8f10b84dde2cdbd40964c1c96c53e913e5097b6a6e3e275a53e1f782ee7d0a873d7f4dd63251cd

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 a53f13acf5dca2f10117b5c0c21cef56
SHA1 fa064d826fa3a9c5dd3c570267069a541d089604
SHA256 20d8b58fc06162ab1f16daf6575c6e4648ecd71555d33670253040b271a5c116
SHA512 d6bfe538b66e70c9f96e6b97d245419d64c361258fcf704db58c5b1531589a610d47f4b6f425d9734f7f9248de763ca4471246c54b726e262ca4e1137b02706d

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 6d5e7db0e46a3cbd6e3a440fc275ce44
SHA1 03fd2cd974b4518cba99fabc5a11f179bb49fb59
SHA256 3de78f88e9cfc24450ec8c2b4309f61afb56959cacc7848171486549726f2b9b
SHA512 16f3ca978256f473a63a98258c08dd5ef8c1c1f5bbb69f09ece11422180f720f7aaa0caf8c13a5ae31241dd77bd7aa3aadd6a5c513c01c98ebe3df4892ca25f1

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 00d1a9d9f8a5d449506bcf33f034f54b
SHA1 444b31fb9d1b0b98ca2c0191ac45a0f620302ff2
SHA256 2f37e87e4e3d11f785e5dc9d6bc2c48d0052af117e2ad78dd92a0b10b48ef238
SHA512 75d3555c824ddb67064c321b21536b5999920714126327a048994a7222f402873169e81f5aec24299d722b3626e3c5d171cb9cf5600f77da51cdd6c071128b63

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 544edda5501ad62fc34f006186b732ff
SHA1 9290beef680b27434389f6ff62662caf1886f948
SHA256 7477265a4ff4c0c05a6520eb06cc1a4735114b5414268540854dd32e6973cc77
SHA512 cde26798a84c7856527730c7023b03557f08c8b8c1b2f13463d90b6ad9f338458505ede9c24cf8276317d6ae8e2dc461ee448c6c2c28b8cdbf7a14deae9ec166

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 417d795da3f0fff6ebd855a40ee5765f
SHA1 c773ee46dd7f3183d75163dbe642391b4efbb517
SHA256 ca21c422fff076fda8647d7a7b8ec5002ec8892677f889980d38a95b3fa10c7c
SHA512 731268f707d14ee76a546af0a391be7411e1e449e06bf3cac2c7d64c6e1db63f6b6c0d5b2c96900f6f55338a4b9d34e71b739987d6d9657c8c7b8cce345c21fe

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 b5de081fcff6059095eb4a3f184a0e23
SHA1 468ac68c3cde9cb3c42601a1a1c5963a829002f1
SHA256 43d0c932e2870c079acae670f1f2020428d2a750a0eec383e6136c6a445b6556
SHA512 71fe4d9b0cde95f599b5fb846f6116a0ff5c03cb7cf84c5520b2f4b826ad7ae1372c900bca4ab73b06a8450406d19aba09a86707324b6a14bb0970e1415252ce

memory/392-1606-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp

MD5 f5280605b638cb6c91239e669175a20c
SHA1 9c1b7bd3987df9ec4ac39f1b33fefc0a834e25a7
SHA256 5d1bf1ab2a19aeaa2f43c0326b481e9c0bc833845c35dd529066bb84145622b9
SHA512 b1d75d6c81b79557c93bd55dd490561de65edd693e1cc5ef8b9055ca9dfb23129695eb1b6d82bfb6da3f910d37cc427bb6d4b3fea740c6f531d318f0886c676b