Malware Analysis Report

2025-01-17 23:04

Sample ID 240603-p7e95agf47
Target a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe
SHA256 a6da16d7b10d4dcbe78622340b5568be99e97bf1fc91e08f9d636ea57f174159
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a6da16d7b10d4dcbe78622340b5568be99e97bf1fc91e08f9d636ea57f174159

Threat Level: Likely malicious

The file a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5071) files with added filename extension

Renames multiple (4079) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:57

Reported

2024-06-03 13:00

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe"

Signatures

Renames multiple (4079) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\Templates\blank.jtp.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe

"_Examples.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe

MD5 eb47175e1e72f0c6cae2ad1b5804e280
SHA1 e69a8ea9407e31d7ff6b0e16b20b8cf466fe7aad
SHA256 a2ccf8041726d91d71d50c4c0ae92cc728a4033c456c30988b8542933dd3aab9
SHA512 0ed5a39f92670051b93d8c2ea2d125b414a3399894498b0b332aeff1880d225d688e93dd24cd903a0960aeebcb55f5284766bbaff2137e591d36c48a37bc551e

\Windows\SysWOW64\Zombie.exe

MD5 554e81e7a9c64be38ddaa42d85938f0a
SHA1 cef6dd275d443e16c49fd5e81fa0960e90454461
SHA256 f5f34b93268aed0465966be3ce6b70b4378a851378dd7f3dbf2bc443c069ab59
SHA512 dcff44e231ed1631bc460249e98c5b52a96aa856df9cd5d69ebde6d87bc90d9f655594656c29951ef930aed07d47ee9c6773d63a9262cc172ef385dc1153dfb9

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp

MD5 20c52df759855c2b2e63a40f82667066
SHA1 ea73a23a63383880a413e5fa9103c54473172245
SHA256 4e24d8889f1a13ce58b492636d26e05e8b83090b860f582058cfb8a03896a177
SHA512 5a193a21cad3ecd44ccc3cb7414b3a43560e8e585c869e681ecd9c6b41dd3970fdbd695e14becfce5c2bd1c073f11542d408610a8773fac7951a99df339d32c3

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe.tmp

MD5 3f33a8777a0fd4a4cafa2d82451a94d6
SHA1 825d59a483b8f6c4d650bb38b55edc83b23699dd
SHA256 d2f23147653bff3fdf82a4d400a6f09a03564d66e1756109ce3743323ac6d8ea
SHA512 487fbe98b0ffe679101e24844c217b8ab6d48ebc3ac810d402f0bd510a264f67fb384ff4fb009f4d1339eb442cc9733c7c5b2b4ed50ff6a1eb208b222e76309a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 0fa3ab1b51b31fd4ac91ed84e8435e19
SHA1 8e6d382ab6dd5139acfb6e7c3765e33781ef449a
SHA256 3c321ded65e1efda168cd446c8a9dd824b95a32f3c53f005c7c58379fa513826
SHA512 d31a70120f568bff766c36358d001ce54b0ae204dbcf38e01d910210ba12072ed0c8514572cfc955cf76d53c38e2e1a1ce671e8832ee436d9711f3d3d27dfad3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0d9e406704532e600321e0da3c412c68
SHA1 07df4debd6e00163a7f1ef08813b577efa3d8e08
SHA256 3c8f8babda1c6ab65255dcb6bfe884c8e9eac7fe6ef93210f98f95c7c19f8179
SHA512 80310acb32cfc4191d13fe388fba588953a9e5b2523fef4fb52060b39a4551ace6b0b7e4adaffe72a123bd6a41db94ed9dfc02a02c670c36228abf84e25474dc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 2bf4d09e424ba68c7221643e8a6c88c2
SHA1 2ca887da9337cf9dd7c96bf499f44689249b63df
SHA256 c40f93f848cd46e406999499ffbd1ec7ee7440245da2f6770b4b87f36c28f51f
SHA512 4bb6427869fa56015f6a483e98f75d13b8f53947b2cb7e455992a27fba736c9863a9739cde7c0bf595daff6708e5b6426493bbfc805e2a0c5be0dd2105fd0be8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 9c933ddfd4cce5783d188e44c192f439
SHA1 9c9aef0eae8620c094df20b23fb1b945868ffeb0
SHA256 7e5b7b1e1bf1ec32b54d311041f57828ba772f5185b2c55d0b6b5a630e8faade
SHA512 05bc79a9e9d301cc27e9732d15c1b07e9176bd2665fbaa266394381bb5ebedc09f129baefd1175bb8dcd2ce88c8cf071a6f3d1d4ed5c7facc4280b56c340b773

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 c7a1050907786df6230f4c115d8ac8d6
SHA1 f93e6dcd7cf2c8667521053c6443e249eaafdeb2
SHA256 40b5ce2d1525953582b7c33646e665468b9383d91fa45e2b9592dbc59693f479
SHA512 23ef143d7127465ff5f99ec0a889fdcce225c5381621b2f9db312063d5002850ba979651490cd561e8908b31b713fdb9e05e2b515767fd84c7d4718e8a54885f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 582fce4efb5d95dc29fbe61a0b4fa6b3
SHA1 91f1d7ade8c786a36d07da6691e961c17b61728c
SHA256 0cd3c33b5e322f5ef8821b9a27e45145ddd62f61681e495d9dc6295a78d4b386
SHA512 885e18649bcfbf85956c3e1a84cbffd4a9e777967619039a50c15ef480b8a1e53a693dbc830e3e29a93ea94e333e0278416524b64a9893250f914d5a6f31e0e2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 65b9af2e73a0babd18882f179e147e30
SHA1 c24cf73ed8cfe3ffe1aba3d92fae3cdc240aac24
SHA256 462e9a63af5dc6391760b7556ac2758d7316e0d13f1c099df36e5733ff88b8d7
SHA512 7364cef1ca7bc15a023e5716a6998b891b323fc1ffd9776f666948dff0f945ac8269162ce1571fa21157ebedd80c6843d9882dadcca098aedab232f41cc35dbc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 c311a95a2419c4275332c4607e6bae3d
SHA1 bb6dc64b77c3fa5e1e85c4f9da5467d957548f67
SHA256 fed0eb58cebf9bcb3d9c552a3c83be5f6fb37b1c7bb8f22f8f7a6b4d985e5174
SHA512 6d8a4b67820d08bc2d2bb85bae103540d65c082478d3b843ab044c11b319854ee09c770a2060cd01fdda47e014c3035bd1571192983ae1464997e3ef1f05525c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 6b7a3da5adf14bddbd7463dd93dcbf8d
SHA1 0441f5f60179d891123bf4662550221c4d697ba1
SHA256 3c348002946ce6fe4528dec44fc833a9afab8a5c5daadb7a37271728237f2e3a
SHA512 43eeab8c9ac9aabe393efaf5e8222a65885f08fcc6db6d83d822233021dec133776f11aa5ea3acb823223314e677cb396ee1380dc69cb3b2886491ff6c53adda

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 69d4604aafb3691ff9d4e962b9e0059d
SHA1 6ee71c0993d4708d9cef5515876e7fe6f62b6047
SHA256 0572ad9911f6d9627e9b10c49e6a7f5318f0cfbbb58c92c3be4d82cdeef46cbe
SHA512 ac5cd786213adff1bcc4333de11deb74a77ff08141bf0e937901b2d28f9893fa6a70728d998e9caa94b34561073d0b2690a297f2e1ae9637ee6aa2b4e6f51979

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 e75a7af2c01e8c3c112e9f0a859f3a4e
SHA1 a0c1e37be75af26553ab06f72754d29c2699abda
SHA256 1e7a001a30e4e38ef84422e3a7e1b5aa5c01b3fafcfc688f8334430a867a6b0e
SHA512 f8e52770254636a54f93740e9a416a0ef14416b06de73d5c916b7d36859f1f87f28c72c5ab72fcba273b95ec08c4ecd67c3a95e6423496b692ada83fd41dc6cb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 580f606d2f6b549624e6ea65165e8cd2
SHA1 bc8303c62af90602b8f73bf7375c386c8a7599b2
SHA256 cead6abee3ad1401c7a37327765b5d27af120d0ea76be27f3b61621af4c7a1ca
SHA512 4c0cd673a549652d9a1df7a9d347f84bdc787c44f9a60c49f69854645a66600534e4f9f39b949d28612b6b853fa8b2fd9175e21dc8e5b1464c7c0c8d0bddfcbe

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 641515a8264a67898eb8894c9aa17467
SHA1 ec771bf0e723ca16ab48dce06df1f7e7971203e1
SHA256 192c478a7910aadd56c88308e9464f5fa27aaa272fe4a8350cf75bb28280cb5c
SHA512 f29b1f0342a0f371efa9d212705e94cce5d22c7e38202b36494301ee92f7e6505b0ca1b2f7385d037584581b2d249d3596b365dc0791db8474c36ee17e5dbd7a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 173892707da81ab256a06c24aa080528
SHA1 72bde7e3f6207d810c066feec9b2037e2b6d097d
SHA256 4944417940b67fa350eb9f46ebc073ae285d793956c2d0a79df4c6023b6561ab
SHA512 b681ea4cfcc0f1b1b5d6e3120d93499349b798a36e105921e45a073ae805c3294db1e78b40cd7522fda1826adb61a0b025db610de4a91009a9890ee5995fc814

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 f08385d0dafd7367112db7ab79429c04
SHA1 8b84c74953d942cacf8d1b8accc8a20dbcdacef5
SHA256 645caa661af7fc8c390233194e124b5beec6f063dfc5a8ede2b892abaa2731fe
SHA512 ab906a9e3657f67e6cd1a614dc6a655742301f2d9484a01dc3cb7e79d534860caa36464a853792461619c0ad4b136baf6982d4003177efc9c5f9fa58382256bb

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4c89a2c885b342ef6a231b9d67065979
SHA1 35004fe47297e5caa8ea73ef0a5475b50aa72ee8
SHA256 8f9494e6f783262d6f4df0d4f88ec6fca873d2be6972d60a7fdccbfc8ab0360b
SHA512 39dca070d608f273876096a0f52bf80e12f2ab7a4f8969c5f4aa24e7affc751f88dc3a81ee145ec85d15223898fb0a9b213958f4d777b4a91aa6b8c87b972a7d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 5fc3090df106dfb423c83e4a5333841d
SHA1 0e3fad9fffc44ef3c25c240f8164929c323b3727
SHA256 1c538a47121fd5d92a808272f8099fdeb6f57fb147685610eb5311c71d7de47d
SHA512 e6eed9da5b6575b4a943f852445463f26da9ffb75400c1ead20a4e051412d2b59c30012a74a26c926bb5410c8047cc14cee7bb56959cdd08a5a05c80b11d29f7

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 bd4294f00b1b1cb2f049337d36e46a1c
SHA1 6ac2c4c0dabc47be5dc74c32eb22a3ab795187f0
SHA256 0ef79b618ffb73b23a0edfff27058e7e8e2f0c71f88b9105a0894435b326e77c
SHA512 d9005ed809b567cb811ead1ec149053432d28b05387ca514742d6ed63a97e2b1f1583b3483c3931f34ab6c6a037d9daea2444ce3eea39b5d741644546b8d2b25

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 21409c58f0bc49d9b26fd5d52f83bd64
SHA1 54dc2a0a235ef336ea063ffccc75d2330036890a
SHA256 4521f091d9daa9a984a6288f6e1e01fd9fbe7ff39f6b9c62cd87e38c3a8b5a45
SHA512 91316a39a33f5e4338cafeb763e1042355754b7b480873ccc018f586ace9c63f9941b85ac9b9a1f7598eac5eb6d37a09a0a5c64d5cd7eceae2c1a808efc2540d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 1c4a73e5c2630a5d98862d524daa32cc
SHA1 a9eeb9fe3d44c04ff58d7d48c3741a755aae5d1b
SHA256 10dd8b1b73c0d9b3da38bf2efc6db868fcb12613aaa3c1f1aaeb5e3a8b09c110
SHA512 59db9636573c09b011ac6d481408b075adb948972a4e55bbcbe0ef842713305d2954934ae2058e09df1709c6394c6de7177ebe0d4889264dbc277899103e6a97

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 edfc31a2180b8e5278c60c14903e3a7b
SHA1 82a8159f8edb40447c5936f593cf4595a9fdb26b
SHA256 6da395e5e4b2ffca448485495f36dd8986530c6cebed2d21dfb6338e972b8cd4
SHA512 693a79ca49afe51fb4b84b48d9cdbee85630bff94bc036d9f685ec77fbd9f2800f022332047b15d75b174d6935f6ff124bd1ecd69dee958bf72417932ee1ef91

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 dde541c62638b3028f9e28b0a663a1ba
SHA1 f0e7d88b0d1731bd8935e3549a9bf75a5292c3b8
SHA256 f7b59944f807d9ac80d285e9ba47a1f0fdbf37b06d9cfae0fe5f0591faea3a40
SHA512 a335cb1a29a203269294a673a7e674c48aac226fb48106d3c67185009a783226d8eca2bf198003c3c71e36b2def546c9246142db62bb26bc9802f3a1091b1c61

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 b3d37562cac848aa830b4acb82bd2c9a
SHA1 40b4091b59c0fca1b32d42749b2c95abcda1b7ac
SHA256 c5db0866e936e8c295b2f9a2b65d71a5d4b8422d2a806735e9b14fa3de295fa7
SHA512 6d590759e1799850a219edfae9a26952f4f874c6e2f07c5e229d25c5ceb516a2412ad09c32db749a8564db4b5f77324a6960d8827daf138e7a9c051b24a16e26

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 52a996ef865eddb680fc057ec425ade1
SHA1 3435a42eabbece9510624af40b75106062a311e8
SHA256 ed6f75435a29077c1a052eafc8318e874b397580fee5d4020b5b0a268add9c13
SHA512 4de314e3d78dee737f6bff8260ed2c0bbebbd65280386654c80c048b1c70e45fb3a67c5c24846e0feae108523bf1fa6c27c052e5f852060f632608941c6e9238

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 733d78444dd71503212a2cd409944724
SHA1 4a67855bcd627ba52dd6a06271240d9c4a711522
SHA256 e591f0107ab269df033e8208679faf2429ed396efdcaea6d2337f00209ff1822
SHA512 643daf0e7c259e8bb3ac940fff3ed774347467427f3e4c2720232cd1d18149cf02af0f1a7f08397f2d36651d28c180971ccbf8d133cf959540e874b71541e519

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 11b58a6d6c070457b1bd5f980bbecbe9
SHA1 537163c572f4a70f479ff4f48aefdca32dff56da
SHA256 38b8d9168dec3260d996095559615fe1ea3af3751268cee2b31815914d4271e4
SHA512 215e486353bf8c342756b86c3043a214dc12a6dda5ced4589afe461160a967d84d20e4af4a316d7228bc18561ff95c0159485818d8ed3b2bd994bb897b080ef7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 606971563117c4bf45a2b8f777fe593a
SHA1 d0db2d05fcb4c9eb3b10ff4c9a850c4863869581
SHA256 92a96776fa322661b45324052d1972e8d384af74fe268b2851b7b583fb03ca97
SHA512 17be9c55d265fcfefa587d6fe1a1c5bfaa0f86caf0f93becb107337d7acbc00e5dad0259610fd1f7fa12d97e8dd140bce993aeaafd621bd2947c8d7679981ac5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 fcb2a49b9120dcc23e3bd794ddd5ee33
SHA1 85666e4e415e4666bf2ac859fbe2c61c54c0b626
SHA256 27ee3a7f827e81abda9c8a7f7a97606fdf91422b5e8eaead6b7a5d216536d02f
SHA512 9e38eef7ce530565866f88e6992c5ad823d6dee7b68839ab6bda189f01caf52beacd04217a1a2e602519681fc4dd8cbbb7c5b9f66b25f8e6ba41a6d6322bdf98

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 6c39615083273756bb6c0f2957ec5f6d
SHA1 cd5099e5c749566a55f383b6b167ce0330ba0792
SHA256 b0764dfcfcfe1a3c460c1319ae1663c90462408afa8dcb9f46fd0e7ecc817da0
SHA512 5c1db072311cb748dbf6f0774ed1082da0079240a91173dbf8e4f8fc85cd55351859f26d8586eee7f1314640e50b26b411275d90779f395576cded5518f525c5

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 c4ee192b5a9ffef8276605182afe32a7
SHA1 6acd169119127daade2a3c7fa0c970232ad54dab
SHA256 3949e2dd88c5d3176d7b0c35ce9323fda729b7f179ffb7af8fc7966f05984144
SHA512 cd4f94bafea83f6ab9d5dfc90cf90bd603b2568dad39e079bd7834cb30ef4dfadd1361a783bd049e213639be21693fafb370a1a4add63e369c19109816c89834

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 efd6e204fd8e6dce9ba7398792f6371c
SHA1 eb44af683311372e57d727ef53de60940ce677fb
SHA256 33b72f4a0b8c8c91d15be67ec5f2233ed095ab76a932a17fd7fb9abd9f377608
SHA512 e05969118d7f5238ffb474342b2461ade6cdafaeb8d600ecf6df542d1644a05545fb27b908f1b0363f95794b24023b62c028f644f5bf26b10fcd58704bed958a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 705ab1bb69389a843abf9efaf34e0c15
SHA1 6661a48905d067fdfe65b3ead661ffd83d5f70af
SHA256 f2e16d626e40a147a0788239f80db930005a9c76fe1b5474205d869418b3f26e
SHA512 4e7f990244b6ad6becbc62e66eea4e93d446ef3250b18d42881bb112306d810bb2a65b335398106c5f98ee96a2c216d3b394f774c562d5e8beff2a76746af8e4

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d864e4638361af3dc7b1ecc7ee17121b
SHA1 0886f02a5b1676de547c2212d769ef0d0aa98941
SHA256 dc67ed12cd085f8fde13a0ffd461b4813a87f91713cf77c63987eeab1927dd2a
SHA512 07040cd3e7af4d0bf5f53be9b06a104027721393b8e089e29938d30762f55c0397615c0410e4d5107860972c46a0ce4cc1abaf8ad1600e483af1bf1da44fe70d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 2d3ccdf72ba3e5c3d36ca00edf8033db
SHA1 93b396c4dccd41f10ba0f665fa26674d9720498d
SHA256 6507ae0ed480f549e09cc591037d491b4435bc30ced76986cbe09beaaa173f36
SHA512 a2f8fa14da129f594dca0d41bd1aedccd36eeca9071afa2dc29353a49fb7d09e6edd666bc1a2c1852c7909c3cbfd5d80a59acbda83d08135266ef1440d45fb64

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 607a060b9cb103c148e5930ee7ca95e2
SHA1 20b0bcb2b44de1c10751484b3034c895c427019f
SHA256 564fb517e0ef700a67cd2eb86d672cc2cb6e44452faf2c7da8625c34a7bac98d
SHA512 f854d00fe336d7022ab3a3b73fe227aaf9e880cb10fc567ca3f0fae5082420ba52c0993d58c0e40a4c0f1512daa061faf94bf485c05c131790cba5a2a93f13f0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 a8cca69eb16f0a469e6f8473ec398291
SHA1 0dd10f000fd29578d9897301c24db9d7bfde7cd3
SHA256 99abdadfb810fbd65b05a7ab6cc582fc30d90d61a5abecf092ec62e5164c97d9
SHA512 8a088ea36c2b2fd190c9f9f11c52e7fbf65724c08dcb54f745100cedc1d9be2a3b62d0e4f93a3620f2530471f9bf1ee159e84b001163ed2ca12825eba60f8b11

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 97926d9250feb80a2ffde5fc07c1fb76
SHA1 cc0794cd497ee8b870ddd31e687d78d02db597fa
SHA256 15c6005aad931db59633154c20f101a231f8ef5f146525c121687aea3c6d6801
SHA512 c3f8becf80e369b262539d67ce9dbc912b9694e5e828f28a6ee97036c77094a873867d857178d279fd07dfe7be37eddfb41a1f491b3439ce53f208d05704c717

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 88689360cc605f61bf5c49c2d499e0b9
SHA1 e937c7aa3df6c5d53ba798a080454e5f25904034
SHA256 ab15af145d8955e0a4e79274050613205c000f7f22b00e677012367860ed787a
SHA512 1e0f2f01e2d1f938977b0a0afbf68816799d34072e8576bd9495f0ea6e016c08ef2fea64729fb8830faaebdb56cab7714bff7243f7d71185aff8b14b209850c3

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 8bdbe2c6a182343db248e31c6f214272
SHA1 b6897472fcf4e83690d21bfd070903c1f3d91614
SHA256 cdde60cbb8ee0159ff3138f9b7bfa691a430bd3927e39c904827b8735748f867
SHA512 7ee0c9406a2a14bcaadf2a2e9fc81e17e2ec21971cf8af8df40da74b96277b3f6096828068235ae503ccfcade22feb2176c022bb5ec157b2983b783956b6fb0d

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 dcdf44b65d6d6bc3e1e30318ac143bb4
SHA1 8cfc8329b912f5d2e4e205e4a4bd219ae2187c7e
SHA256 76de31b8c9653b6293dee7fa319c0c0faae990550a18580f3b1fbeb359e9e74c
SHA512 fa1affccfe758c5f96d24c02da9c9cd856bacd9539d63ddaf80d81c96a8530319fededcbe0a649d76fa38928f9af7308b19157973d47cd0c467441f9601e1a82

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 a7c84aba6ff25af0ea8d35643f237089
SHA1 992ec9e4df6e3dbd53d40b82d075cc022cb9873a
SHA256 b501f9a504bf55925e201af26ca5f6051bb9e004847d614c8c58e81872aebdfa
SHA512 995778203de696aa3ada04bd3ae142a7ea145c9eeb8c4f9c0f5ad5e8818935c4a582d98071214d68771edbec819750028bb4a9192b6fe53261b903240ab1bdd8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 38c4055c20b4c3c5555783ff554e924b
SHA1 727837cf4065365d621445f29f7305deaab385e9
SHA256 ff578a3ad05a5a5f311512c5070f014531ad07592dd06ac761cd997330ea8d97
SHA512 bd46c238e5b84c3f16872b0dcdbc51eacd8135035e7f73df989ec3f4fccd94b4e52eea3ab8c5be29ff0a50ce2c0653322e2cecc403df2a4f8b485efbb444bbcd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 0170f2acc45d7913b6592eba46ac472a
SHA1 aebec436f60178ba7690b7f5621b967172aef1a8
SHA256 c7c2e747c186552831c0d892731716f5c2fe10a25ce59e85e1cd4e1541e56194
SHA512 370f74614e1fc77c80d8a2cad3a488b7ab5d863dd941fc39511d6c4ac46c420df249a9fb3675c557a867efd1d5ba2f1c47c6197f014b6c96da7a3c4ce23492b7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 c292766ff67990aa25bd25698cd09031
SHA1 b09116ad3b976c7ce99f519502ca1b201c19a9e1
SHA256 ad2239ed1ff8de9a908738f772944e2bcf296c1fb5dedd1b832e6e214b028633
SHA512 73c8a81b07e17fb37a3db89422f8b6c30230b24933d5c637407aca6fa9c6220bd0e4a4e56f5354bf120360a679bde7a5ed2a238b13ebb4bd26b4c42c6c59a1be

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 33ee89f4585fdf7d9fc8e6adc94b4187
SHA1 4c9c6a17fd996189b846f8bf91eb5dc9c46a1924
SHA256 404e403467b0bd96a946e6c9f78fae10b7b8c940d7f0870c78dc82cd11a5cca6
SHA512 020aa0c1ff978c4e7bb6c0e8fe8e6896482b234abc4a604409ed5695b8c9350e89d8972d9a14f3dec84da466032fdac611e1b2d2d7a8b0552e6f99c08bc2ca76

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 8775686278300520b2265af483800a94
SHA1 e06a1f8f82e25c019bd32f20271177ae3c2b3e97
SHA256 177a60e64947c774893bd91c2edfd821ae75a23f51f96fd8054aa3ebe2a8a47d
SHA512 3ad725a5f928c67c81586d4a5c3032888bcf54a96082937f25665c7069d6800c8bf00519c0c5026a80a78620a56f4bf5e55d3f3bfd76af146c843ad538539511

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 3c1ddf116a5c2523ef675eaacff4c7a5
SHA1 dd22d10878e26b081e89d33042467821e2923650
SHA256 735a944c826ac15b173f466f85cdf0bede73b6b6768f3a639caf9474aedd838f
SHA512 71d67bc9f4537e8d7c3f5568a1ae25c801e7d2c5f1b3e0239b921060d49e615234d40c05224cb16e4e247f39bceaa141b72b7b914403882637423d83a7333cca

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 2830beeb4b528919c7b8354c4ce859bf
SHA1 fe2a53a87bd7ec788c90f946c2911ab227842504
SHA256 0ce88ac2841809632ac4162662e27088321d8c3b1527733cdc25b4095cd4d3bd
SHA512 9800e671c0c336475ce99019dac2dfd44000bbcf98bc8082f2f9979a2151f82dd479d6155b34d8d87e4303205678dcc19dc1ba68831d13cdd6e2e359cbe74b91

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 88dffc102bdefb87ae24ab0e403babbb
SHA1 4a310ac0092026ab8c7bcd85cde2449be35732f3
SHA256 08222aecb154f96559d400637cc0f49270b413992a8669be3c59251d965923e0
SHA512 eee57aa9b6490a2601eca2ad6e23cd56ca8c92f9dd5521e4306627c30bd14d1d91ce5603d2f78dedfe4f49aa998d4418fc11e67ea503b3f1bb504b752dded3ba

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 3cc225dc3c1c347f6761d06e0cfa78ef
SHA1 bac64dc4ec1722be849296130e36e981101d486a
SHA256 834ab4d40bc3d118199ac8d91384171d2cb25cabff16b082deb261928ba070d0
SHA512 c5934784f6984efaa0672a2ae1944689c6fd6e36a9df317a8633896c35af8be98b9663c365dae0b49685a23012d7a54bf35939027a418f939e5ecf0350fc5912

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 e5fb60dbe3001ac186612460f10c5f15
SHA1 6dc9740de311f4b313ca6f14e0fa80f3edb64053
SHA256 2d9920c5374b57ece59066a3c11f46e643bd8ecd7600a5a974e3d95d47aff2b7
SHA512 16d757d792e81ee694870f977578cf53cafa56f86484237c80672d6a86e755c8df6462b16770263a8a730cd7fd3597e35c80e183b76fdaf32c37730549bb6e61

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:57

Reported

2024-06-03 13:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe"

Signatures

Renames multiple (5071) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43a82f14a064ab9dab2480692348e70_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe

"_Examples.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.72:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 554e81e7a9c64be38ddaa42d85938f0a
SHA1 cef6dd275d443e16c49fd5e81fa0960e90454461
SHA256 f5f34b93268aed0465966be3ce6b70b4378a851378dd7f3dbf2bc443c069ab59
SHA512 dcff44e231ed1631bc460249e98c5b52a96aa856df9cd5d69ebde6d87bc90d9f655594656c29951ef930aed07d47ee9c6773d63a9262cc172ef385dc1153dfb9

C:\Users\Admin\AppData\Local\Temp\_Examples.lnk.exe

MD5 eb47175e1e72f0c6cae2ad1b5804e280
SHA1 e69a8ea9407e31d7ff6b0e16b20b8cf466fe7aad
SHA256 a2ccf8041726d91d71d50c4c0ae92cc728a4033c456c30988b8542933dd3aab9
SHA512 0ed5a39f92670051b93d8c2ea2d125b414a3399894498b0b332aeff1880d225d688e93dd24cd903a0960aeebcb55f5284766bbaff2137e591d36c48a37bc551e

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp

MD5 e699a38e40a40c591b47826e2d4554d3
SHA1 1a7c3affe590e7b500e7cf96343d4bf184861e30
SHA256 31b25e95990a6401d12593b52d453960fe8ba746872c1f22cadfbe62e74f9eb7
SHA512 7124241436c76b4445352ff3ea5fc95b0bde02979d03afec84e89b12ec7dd6f43072c17f774b11ff8d2bea9c1af819cbfdcab0a81964c01b43e3cca9ca2a6354

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe.tmp

MD5 6d0df26f668ecef9cb56defb7d7addbd
SHA1 ddd723fd1121e9c520ae9d5d64b7c79f610016f3
SHA256 8eff3163ab9a5696b5df1638c07eb8d63381dddf495573cf0bb7887c9b445a62
SHA512 1bd077e81948373f1cb038e01a1edb58c984db730403c6c860cdd78fcbdd9a8ba718ecb9d29e19ea6b451041e59b82aa384868f309f0bd681717e29ad50e6b58

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 2e1ca1a620fcad5370882ab61d88193c
SHA1 d9d570023153168915600300e571d839a35f38d3
SHA256 68fc5b81fa3756dbe8dee86f31279df3bfe369e9b060bd33a8eee02abe9946c5
SHA512 cc9d9e8fda6165124067301d1b41a53d62252be62209eb5c2c9580145a6d9ac624ba2e233f9840bbdd96a295c9f3d81e8dadf431bb460eb86405c2f5cd3c25fa

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 46260f38dcee51b86e058332eba42ab7
SHA1 7c7d664217bbfa68900e0faffe536e6c142ea0e7
SHA256 9fad6a33ae810160c4c5f8e84b0702a05de8d2cd1e49ebc215dbad710cd4890b
SHA512 130496cd5e8bfe7c637846d95a217d8fa65e2b76b5e76fa5bd6c9f1a7cfbe2094cffe739924af1a7088fc000588cef1005ca08074ce33e0c5c75ef9256775f6a

C:\Program Files\7-Zip\7z.dll.tmp

MD5 d035dbaacca92815cb022fa8d7546a2e
SHA1 5586930af1b17cb3ef465eae259c76a3a88af97a
SHA256 ee85353393ad78265304c0ca7fa5af700f7099ba1788166c2477cda8caeb57d8
SHA512 60bd80a2186c1cf0ad76e51ee9d13c820a2de2c8a71344547e30e4cf1dd216ac6df7ab28f3450db445381877da9aa62e99c98d23f16321603feaa07d18f4c32e

C:\Program Files\7-Zip\7z.exe

MD5 869098b33cc02a91953997fc94afd0d5
SHA1 a5c42f71e44273fc34ec900df74888074e52d8d0
SHA256 4b802388c45b3200ae9109a37b3f799d0a3b94d50a379510bfb486678ec46180
SHA512 36858d72759400fc842ee3028312cebf82def11fbfe3d1b7f9abc19a320012a6491642a4168ac37c5bf4a41164860a6bcbf1b8c10833e4b7efaaefca311b1156

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 bdbe670e00f48356a730aeb60d371519
SHA1 7f0bdfc45b134aa52fa6c94affaab9f51b5205cb
SHA256 32949be6798a7ef2bebd7f75f7643feb1fd6d95882b78f036629b5e749c90ba1
SHA512 43b69a8c403690a5a0e38a29dd99c2f281bbe859e4f775c5aa0d6e0a5e90b0ce425bfa04b719c4bf784a037da92f000d28b7cc977afbacf038cacfa403378632

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 ea1d48724acaa3b049b158e45090178b
SHA1 e033da42be8421192b20094917f55d9597b75507
SHA256 16446d9f790fd8e7bd67cfd127765db931104f6cdce7c28dce38812e3ca10a39
SHA512 7dffdbdf1cfa5bb3ff1c5bb24cf0701db283b339bd3b16b5ddaefa9b4c5362032cc5cc50f404369446a5fe51595afbe5d506ff28109923b6c55006990dc8ed74

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 b61ffbcf2eea69884a15597556cdd68f
SHA1 35846ce34517cfda733a8d39f4ae09966def119d
SHA256 63521991ba9c50ccd46649b997a7f4aa18ead6e7c373957b97937b4abdbb00fe
SHA512 deddf4e42c3ab250de3d14a70f5a998918f09aca241aaaac712a900326475f740354bf532cd0705d07448af1ed641e9d9cbdc9386a33ba693c9a2752e9720ee1

C:\Program Files\7-Zip\descript.ion.tmp

MD5 1e6ae0f01136011ca5c7e6e1a1eaf8e7
SHA1 2482bd95d197a525e297a9eef241a9d34f192e0c
SHA256 c8c3621b263cc7566624267825585d480fc76d542d17f28bd0810e32fd03a868
SHA512 6176bff3585324acd64e0aad15dc8da50ec2d0a3b350e33513e277f764c8e0dfab1b263311f0fb60d0e0d32096e685dd1e3222cbd09465663b8ac0115dc4b054

C:\Program Files\7-Zip\History.txt.tmp

MD5 79487dce82a78a430232e20652fbccff
SHA1 846aadae7583f60fe98503161ca90c24fb4a12ab
SHA256 bd51906e3a2b435a2aeaacecbe6f96b243b2873184be955852e82b951851b62a
SHA512 e9f6e3390491a5e205d12e0485f13128616dd5169b3588be2ef74484c78e3867ce6f08b62fccf6948101379ef0a867fe30ac9abd70b41af0a4d653716a29041e

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 d341996c007c9b695de7048b301024df
SHA1 dd9cc856ee708a2e7d3beff73d862ae65dc2ffe2
SHA256 787223beb5fca167cbc0662fe695ac83e033a4af443c2750ee8b46c29baaedae
SHA512 aef8be700a9f5b914290a69e8cfe1bbed7d149870b79120b71c1575d420270634ce4f9f6970c4c48bd67fbce7538f0654bfb00429bfbb6da9b29ee5e1395446c

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 5b0a601fc2de748bdf5869d3575d20d9
SHA1 27dda252698e383b3b74ffa2e3a842caca529d69
SHA256 41c987b62ffe1e6e0a7df2b1fc4c7db888063c343e8e5a9e79a71e00481ff1b0
SHA512 ec1ea5c21ff47e9e2d18eb97ada6dee28265b92632bc1b27fb6723e3194278dbdebc25cc911ccd4ebe1f6393b77d1346868fd8e68625eaadd1cef55300a83582

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 10d76a9de659942e895d3fc5250e53b9
SHA1 72c5addd97c85b5091fc2997f0ba618613731438
SHA256 f29ea7c7c24b763e27a888e94f522c970c131d85f5b4aea8b26603d48b7fa300
SHA512 5bd73d97fd2f6a95d91b17405b5b6e85dcf7231e36a7bc8ccc73789d7e3a86102105bdcd3b435f7411d33d86adf513c33d3c5573e277c6d9d159448a16de0ec7

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 1934f31ef178a315e8628b6aaa972135
SHA1 c0a5903ef3013333e77888648268a50298833455
SHA256 1f4f206deb01d212901e243c762bb621c9d5348d9497b1a935d2a5abbc9760fa
SHA512 f3224dfafeb8597e68bb67155b2474b95e6752de4059f5e44c1127f4697f41559ccd5e1f203ef98b5e63a613b4549dcfa20935773751da570cb95747a5d24c32

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 0cb13befd7a3102ba678ee53ab77d4e2
SHA1 57f8a387276d2c82a8f9e1f376bf194d38b356bc
SHA256 932f6af8eb84d21f5e45ea28fca3c986f38ce999cfef1eb2cdce6b36a43a9fae
SHA512 a552cf49b30dcea36de769b9fd2d59b974e8b94db618f5a2096f47d5d4b563575422d2d58af530e3e6927005f2c36bc5e9f175783f707b5229d57d2b9ddcd9fd

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 d6bab0f673c1722833b7560d8c8e7873
SHA1 743d056b1922c263c2ea9f2f950c7cb4445593d8
SHA256 fcaaf12778070c4d47727df8f00efb15db75bcec43e5c75dfc4f450bb9e3d3f1
SHA512 6a68b3174d594513ce466a979d37b1b850df9231486a3e8e34d888dc7a9fe33a797d7b9e94219b87f21969c7410e18677f5771c3ec65cf06eb9f8e83fc7a253e

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 1cf1d8b2fd0d540c319d685e5725952c
SHA1 a3dd8378bcefdb07d832b99166070a937197fa21
SHA256 48f0f5bf546e99c33bde7a6a5ba948d6fbafef458941999ab6283896206bca0a
SHA512 5381bff8c0d57e3d57b5ad95235c468b27dd73c9f0ef57b547f1f85e91d591e173741f239a7bdcee01ac5b130f87eadfec0bc51214f30f4f475883d3c71f5520

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 4600388d84638b8f1df32cb3a0fbd1fd
SHA1 26be97f4fee4aff1cd6e04559b29646e9fb97611
SHA256 2ccf37f299e8776e63caa0df6412e16746d8b7b95a4c76b8e399208ec9843898
SHA512 3441a0bf4e245f0efcfa3625a00928c54cea52fcd3dbad07ed86f0d759a3d557855d5d4b74849dfc174454e821bc9b582da2336bf4dfa9a696210ca225aa3b9c

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 261eb0ac29664137c0fd1383b18e79ce
SHA1 204f55e1d79c8d51b5704c43fb34494cf05b9eba
SHA256 7d0d2682ac502e469ce5924cba1581a168f7f44f670f651d00e1b04493ae7ac3
SHA512 4ad75e88dd1d3d589a6f0738c01e5a1c57205e2896b758f0a9543d40cc3a9f2497b8dde5dd4072721bfa304d112331a51417033621a6d1d7328a50dab3ea739a

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 029afbe42bc25de55839b7dc95a3bbb5
SHA1 d79302a22a913f2be337b30198985d5c4179af66
SHA256 18e95b9f77b06a8b7f401d304105426c01e0dba7ec2853919a13881da0ca8678
SHA512 605ab448adcb45b0029c4cc905c6898184c707f6395dddfeaed101ee4e8a89c64642f6e126e3ba06811c6dc3c4a07761114df88e03744775c755a9ceebc2d54d

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 44f88d69eccb50129f6c8748a567bb04
SHA1 4b53bf93b9290e8c35ee6e04475d43bc8fbe7a9e
SHA256 df6fa56975b493972c940f7aa45568c784a957d5d7e24824be35d465a9a6f7b4
SHA512 e6fcbea80fb77d01801f29dba7a77f8b7b284fae30a01a6a174f6c627f7ccdf777de4b3da61a974876e244579f33789bfe1266584f63f57caaf587f74e03eb14

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 ffb6b74077513c0ba22075e46cabbf53
SHA1 f3a4654a31d6af2a191d1f582c2f3209753aee91
SHA256 7ceed79ff67a41589c04ee83ec16a0544cd1ab2c74cc21e299a171892ad8559e
SHA512 b0058b7aa0a2fc3a36ae8d2fcb13ca94e07e2b2c0588c5574a41e9730e7cdcfa83c9917ccd3a344b6e58985fb38518f2965f7f3043ac3eda01841bb6c4852740

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 8bf44306742d49ceb8a0edb6ccb31650
SHA1 67e42bb878cf35f27d5a22a2378c26afef25b045
SHA256 f086577ea136b8193c82c2fbff0ef79335da3759223410c306fed08b47e6472a
SHA512 f9c6916034a25e0a24d4f97e84bb78d84d0820b228d31534261092239411fcb90111295209573e0f05d5b4fc8b278e26e74007b6ff9fd6664af97f805216f7fe

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 2e33748970f98e80ef635530c7da8db7
SHA1 0f77f376c63b93dc89fee32305e8757030e089a9
SHA256 7dffa1eab827a7ddd7a5aaee86ac321987a9e5add656362c128773dc0b16dced
SHA512 a5905478ec467baacf67733d6f0c172c9f18ea9cf6752ed23f4b133f8dcb805d65b23d12a256ee1db4199650f916bd51fe457672cef081299ca6b3c9768fac55

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 1ad9a527965eda4e8266cd03338744a7
SHA1 2cbadf07333a78f6aa1ed9bd8d8bceaa12fcef4b
SHA256 d9f93b58d713a51ec231494a452836b406f4694479fc734eeca20684734a77db
SHA512 7c3e28a079febeca7fdd4693ee52faacb39133f4e9d8bef1db556efc45dabd4f00eb1d810ffce063ba7a96675768709f309dc17f6ea93c02201a8e4ed753f2e6

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 7aaaa92943f3db83ce26d29ae45b8a1d
SHA1 67288c26d685019df9ffb5bf04c828ddece27f9e
SHA256 f3de8229114af772abb35d7980d8ed5078dc90336eee99e3811fb3ad8c0525f2
SHA512 4b9a7905a9f0f1ac0329ca198ec56696b7ba01b17af4f6e49d0b0edeb64238faad85b7f40f44f2402a9a9d554a8d243c2c665d171bd54a1c891de87f647a5f46

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 087acfd79d4e5da804095edb1ada17b5
SHA1 61b4bcc1fbaaeb53c6fac02cdd223ffdffbd71ad
SHA256 f3fbd9bd409ab3ea7b8c7237510d8538f8e4365ffa94ac4e2ae4015d1537cf76
SHA512 f089742a9520d8325b7b3427873ab4ec96523bcaf10e2acf303aa1a33d8760def7a9d52b08bcd9a31ab9308f56ba0bd20f3a6cea8f6bda54bc58be080fc26ecd

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 c26e29f0416e25e1a6f905a21a93c4dd
SHA1 e75c06c32b99884ccaf30e0ce953b3e2be150661
SHA256 30e8fd7fa9c5b52bd776f8f36bd35fb0aed21a20ed8fc272fea4116156b445f2
SHA512 035d13aaa193588c48b8e6ddd7d8bbee08f7e0c7ce35792d3b04d6665e792bf1075c07c383397a519d447c2e98db78a22cb75fac8b319e1d699c08b9deb569cc

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 c72c56e1ec845d8b2f0db6854f0949d1
SHA1 2afd8160ad114c7a0ec390d7460a0e3f3425f0bf
SHA256 c01dd169110c094235d2cba0ab30e478ef0bdf4c860601e46ae60aa7d9672710
SHA512 9b69c52de6bd55502063891644c0f2db1dc030fe5915a514651f26a6c1e45c74083b612581429cf75f6ee2199de6db35f3bf234eaf4850396f1b547d84292f5f

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 c8719a3172b31001bf6ff7d818f48d12
SHA1 d636dc248cb36e56d661aaa9756bc2c6b1f0255b
SHA256 d5c7df5119bd31f88cbe8d26630d909c62294fd684553f0f74f65ad305ddc209
SHA512 7115ce3c6750e2029e703b209d167b103ced8238987b4d7481fffe8fa5000e6217c2abfd7d2056edabf73b6253c4fef45685dc1fcca20442ae7ad1d8f6051695

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 d184e711431a04a675ed10d645d1de47
SHA1 1f2563ab1787b1802865367642fe69ef735d4ede
SHA256 408c9356add5505e072524faf1a271d09115fc8fb20ae64171f9f18b13176d04
SHA512 9e6f7bd494d7955fbdde0e23c0967bc011f9501ab2128680a2785ca6d744588997ef44acdd62946d5d8bfa834dd781aa4ceb7fb3c3fb20da895bf5e8bd2f4fb7

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 e385e458ca87abafed5f83203b07ace6
SHA1 d8227c688a33d893df3e0f07025108b030d6d2af
SHA256 5fca949e07c6dc113c5a4527bd034e361eafe7cee453bfaf855c205c203b60e6
SHA512 d403c58569ece00546aca1878b2c3ad16aa7c83dabbec2d7dc7088c1a4ea6b2ad575c9e874b34aa675ee3c6705c5c21e1f8b82e9f6323e023d2293f14c062db6

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 07f7f9ad67574e644cc767ce99ab5269
SHA1 81896c56c234912cbf5c1646ea956ffe0fe5b971
SHA256 9baf7e90222c74c39ed78a903abbbcbf573487ac8b40e3e2aebb9605581e9dd4
SHA512 ca804212ccbd25853ca950e83e6a2151d18b7709eeaaaed6a433be06410472240282ce3510994046c3bb91bcecb32b965a704b22251bc497e88c83ecc47e5582

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 2119cd38dc7aea97e5c54c66253861cf
SHA1 5da0dcffe730778ceeca8e7701253b329d72fa21
SHA256 0bf70ef7a8f676b6d6e313d15f71a8e9aeda345d0fa57668b63d5221735fcf08
SHA512 8b32217777a2c6959b046debf761adfe8a161ac1350892e05f1f8cf8775d50cdfe523bd903128c3dbcd68aaf6e217208c4c6b4536599db0ed17393be78f7e9dd

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 89865e1e470fb91c3abd9118605616fa
SHA1 112d330beb56ee0d73efa44a1f4944bfcbdcecd6
SHA256 faea56cfef6c424d60195d6d9e99e8672345f5afa5916c65fe1c3926a48d8efb
SHA512 e810bcf2af768c38aa61bfd0fc9ffa90854c0f6ad46ea856359d9fee2d4942f88c10231f7a7e7c0ff2e3db5c46490df28aaab9f75eb093781166fbd13a63c39c

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 14f3edba69b1c44b40ae4c8deb878f9e
SHA1 4d5bf2fd717df48e17f42ef7636a9f3fa3bb3aa4
SHA256 dddc6b6adc83ad9945b3452e3d6b034a82e65a351941fa683fd9591fc0dbe2b9
SHA512 734cf7e701bb0fbb4a2daeacf70882539b9a12a4a3471a945f8ba0340c159c79115cde00025ffa1ee0c056e464cdb04095e2fcaf0a69298797f89434fde7a690

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 6bf0a9ef7b094932a2814223a77568df
SHA1 529ee48fe4245c84e47dad53803f74f3e0891922
SHA256 1f16122d940074c359e71f4f81f4ba8751c3810a432c523eb1ba44195c5b6387
SHA512 f99af84da19d35a0ac8e037cd979bc2063669250204e829fa54c0a66a95d95b35f842fb856b7e3de288720675a304e6659be8c46d4b159df9d12044fb26f361a

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 747b705bb904884d92323b088a09e430
SHA1 74e90c3fab9dd7223cb3aa00c0bfc910642737a7
SHA256 acfd3e2c9f42e6aef676b2e7cd0d1fea72837e7d115622f45d07ea2f1b1c50a6
SHA512 d3851284c1cc5d81d135f319fe5696a4663aa9cff023c7f046cafc5d75607fdb7127744adc37487fb006e09d63eddd9dd1e9fd4d05d133c3a36814c295619f41

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 3c873c9267a22f78e3b0319dd959a511
SHA1 c744a8f076c2283c1ac4956be04bfc6026d5179e
SHA256 adb92f73a74c44f70dc1d2920244cd796ebc8025e6e9f5833cb26aad30d3bb7a
SHA512 52c46fe9473db23f6cbb8e3d1cc25e6aef334a2345674809052d49919d1250312de531cfb068d0fff4a57e121798e374a9e1805bc9d92bd708bf1893ca717ac1

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 31056beae4645d45f0442f90a82b16bc
SHA1 853d96b2bfe2cdc6152416b163d9bd24a0e6d202
SHA256 1e3f130534ba2bcb9ba4a17bedc52b955fdd1835b64adcc57c2d0acf05bb5d8c
SHA512 122d1e6775140ad34b5f5d98fee661f93c21a07776120cb1f508e58743558adcf75032969c67b82f8be3c49424bc2df07a6edaa1c7768313571ff95cbb5b5f45

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 73cecb14e2e5480151b4f0a772813464
SHA1 76a7948dfa3e68306f90dd9c22415e9bdb097751
SHA256 1136d9511af5a53de67d1a4eb9e8b9d3da93d0443e98a2d446d3a7ec27973ae4
SHA512 89bb08e5a676b77bc10b1b7b4a70eaa704d107dbaff86f730b8cfb7521d861911552a6a38c92dac3ad640a39bbc2be6d50f4af32fb8385af7b623caef3966df9

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 02395d1cc117c54cc17bbf4c31024b49
SHA1 bbffe82dc0deccdebbf18b9c90f912e8504219a9
SHA256 40841b964440459c73f2194cefe1f44afcf2e83792683182fc619eb75f7a2d8a
SHA512 a4a3024346288f786a895130f148ca9886b9c923a4b2fec8a7bf1c24a853ef0b669c4a5b70b21c660e1c10c8f4f1982941893d44769419f0de3ee19ba029d5dd

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 139d87dd388493af78ab21d3711309fa
SHA1 5ab14727d16dae446ca37eb1dd848222ce4b9c05
SHA256 0cac363bcde5664be2652fdd434b1efae88651704129ca49af2a7ca1d22451ab
SHA512 41c51e6bd9dd0b4a2c1ae77f9dbf26b78989379280c9dd4f8e47125e7174cea00c6f3c21f93d052c3c883d18e8e382463254802c4d143cfb9195fbcc64622bfe

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 915da458c64168a4d6f1b7b838a2d26e
SHA1 1b87c506d10438e29d167655b5fdad4f29fb6762
SHA256 2a4f869c20ed7c591c4acab49c4546c268dab2d9c7f951daef49d3e514c3db75
SHA512 55b6f1cb2eab78b31a20ca4f234c39c3e45d1934cfbf9bb7f1855e8ff7630fa4ed8ec248a9b0ea55023c2262867695a7a207e600ba8db2cb5eb2fa351a711bee

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 08cd42acd0f7e3de2f734669f5b8b0d9
SHA1 bed81b5e09d06db6afb70db347fa1e30df8a6b91
SHA256 bdaf6a22e975a651705446cab5fcd604344392af5b3bc208f705838669e41f91
SHA512 9dd4ee55a35580aaed435f7b729b3abea1cfe613c90f598e14b0a9fd2255f84eed594ca732b1e3e1eb11067082a35089ccdad2ff2d77e9cb9a062c341c93747f

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 4730dd1059e7a338452fc9615af37416
SHA1 e3865dabd8cf9e778e971428e31d40639bbfe839
SHA256 2eb492f2ce4526420fcd38863ffbc0a2bc03815c9c7d491d31e8b8cf434041d3
SHA512 79b74545be10bca6a88afb9097a9256dcb72997042f5ddf6c77b2b24cadec3fe41a56c4a8408d8d485a114315208eb2b3bc2693f78f3a87528c832a854af7add

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 da665649e9c9307a9a8c40aaa4116fcf
SHA1 919bf47941d41147e29aed93ef38cc04c53e7f75
SHA256 67379a2ef6271a93873600c771cb8324aa24a575ab376b55e5513e152986bc44
SHA512 584147ea5fcfebe9c6f5982b666d3a5f39de0cd36631b84927f1ee222a787d248937a078b29a3417cd01e99831d8067e2749d7488a76cb29c0922e4ff63a01a9

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 7cc28589aa066c4e4d32790394d762f5
SHA1 c9a4b78b1f812d94b058194199f1a75c46d3b0f9
SHA256 52fbf624cb17d23994b28022086394abda3d06191be8318331eaa02e30ad4f0d
SHA512 9bebd96760a8e0d7c62c0abec5bbff370ccafba129ea2ac666a888b0dd4b6d06f5be5528fb65afc7e7079a26cdb034cc8443ebb36e0000699a44c133190a0e94

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 b220a873770acd30f2ce7292c8bf3a40
SHA1 6e9600c779b48bf563c056bb5f5fffdbca1a88cb
SHA256 97f013586ba29f89a0fafe4f0eff096052575d16c071e5f9248fae696059f205
SHA512 8e00593a2a1d06d9eacceb7d7538cd0965eb20cfed4332b830af38b2ae76f1be0b97141897ebc955cdf47e6188faa57db0e3d13abcc061e9217f42eb6ec9435c

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 24e3e7383b432dee71919c8d7b2441be
SHA1 8ae3ba7d049409988f2100979309833aab91c405
SHA256 62457a77030a69ea27a4853b5b7c0db01c2a0c9d3bc8618f59c7b433662712bd
SHA512 6af70a7eb1ecfb2ab4fff09f77f49c712f9a588d8e388d8970928960bbe7ef28bc030c676e82a995060c0ca96509e0f1a21ab9bfe64ddd1304fa0e778528b192

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 a0f9804299f1aed3beee5f204469fa78
SHA1 ac9ce37b1ad055f2ee1cfded2a61db8f824a292d
SHA256 928f6bd85c0a5b09f97104a91247039ea58969c1c71b603a6fbe85c45630a098
SHA512 ad8a56c557306905ffe61e65edcfa75d2f8614f01ed10a54e6721384b7d191e76cfbd4cb307a18f653dc9bbe5e9ac7453503b5b8b872bf1cb8527d7d2e18c953

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 b874682e01b0f981f4ed2d88a57f6afa
SHA1 c56b13e856ed5598127e05e1963c125146171a9c
SHA256 1327ff3ac034ef36742dad7e289da54e69d30f2f567f69e7e3ac8c42a394f791
SHA512 b29f50190a43dd0ae8b520c14c80640890b2f20a51b335b02aeab1bc51fee813bda22c43895a6c81b659b24f27770336e31609b55eb256cb99ea2220082f026d

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 9deaac0592f993c5376dded8dc3aad62
SHA1 f63cf0cae641ec4e6870c67693ce2d536e982ceb
SHA256 695fc363bff35a672fbe47437fb14e1d242b29fd4997974167bf374a2529ecc0
SHA512 f0f61d8f33a927d709255785515b0caf8d2068da511d549da5666eb437c0f80ff4a898518b4cb95feddb1d6db3bf94ad0f91449b7b895807faf2e44a5cfc44a1

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp

MD5 61641e7044abe612d08f246fc510b611
SHA1 da74b0d5b517e5efabc397e675d45aa8ce00acb4
SHA256 a18bf54f49e80bafe1f7de073d18af13567d2ae4676f8dbac262f212b554af22
SHA512 3aa37e56ac84cb5d87328bec98b3f476292b057dd0759bc00391fcb661673b962c7db320fab6e964a38eee721cf3ae5a4bc7f9cbfe3204f64995db68cde32385