Malware Analysis Report

2025-06-16 03:35

Sample ID 240608-c71jvagf98
Target 84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe
SHA256 e3ce928169d86edb4170c5d884ffdb4f64635a8039b76350b8c1113e4843a419
Tags
ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e3ce928169d86edb4170c5d884ffdb4f64635a8039b76350b8c1113e4843a419

Threat Level: Likely malicious

The file 84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware upx

Renames multiple (4763) files with added filename extension

Renames multiple (4913) files with added filename extension

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 02:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 02:43

Reported

2024-06-08 02:46

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe"

Signatures

Renames multiple (4913) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DenyWatch.au.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\af.pak.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\management.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_12283.exe

"_12283.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2024-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_12283.exe

MD5 63dd1a7daa07143c6cf9fe208adf9d5b
SHA1 7778c6328cce9b0cb56dff28ce37b784d25f6e86
SHA256 1c0b46a3fbe6e7a37588394c0f16c1a1e361e99336f21ca43d316615b6c65df4
SHA512 8eaa717903a3a836a268a1fbe04ddf92705f9838b3ad7495c188632c754a5fd7c2f2f32cb72419746b7c2ecafc0d3479d469c10ac16b9916e8caadef7166acde

C:\Windows\SysWOW64\Zombie.exe

MD5 0d5f859ddd73c17e3b349e0713b5a57b
SHA1 3b53e63ee4fe19730f02434da25d04e1a7cec784
SHA256 353d6ae3d9f198457ed35aca4c4782b15e953611eb2e5fa74452a22f370a8ec9
SHA512 89c88c39b4e53b039841966793095115acfaea12738a43f130a0aaeb080945d7881eacdff75a86b535adecd95aadab551e8cecd5f1a3d20b225df3a778e3cf40

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp

MD5 33f38a30d29bb0bcf765d4ceca702df8
SHA1 87070286e03c2877e8a49e470b0a0e48e8faac3b
SHA256 dd75c12b1aba8b1c679e3f802017d625d0d4437b815377a34a8f816a86ec9e7f
SHA512 4efde0e51888008a3dd1f9b0fca03fb13f70c1aa9bc1759012d8d39709f0c973bd0a9dbd0279bf10e8894fe12776c6eaca09457444c92e3e5be8e5caad8bfa28

memory/2396-14-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.exe.tmp

MD5 015593762daac13f0b2358ff15642a3f
SHA1 4f3649585aefd1248170c739a8576f1969ecca3d
SHA256 6a34aba5e009fc247fa2ed9e993bdb008682d20bf166bb739c3e8209822ed0ca
SHA512 012df89dee218f0ea53b1191fc805dc5914597c74d2a598b273d4c8a34e3ba32021180e8286318e46b70cd19501b42616f8f5dfcdbd5f0505e4b51e9d04bf126

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 ed32f0926b66eeb8de7449a5850d76a6
SHA1 9d899074bf010538dedbed0f748ed3a74823fffe
SHA256 7ad92e51af6cdc7e92c8b74af1ec723de4e6e966c2235aec0741b1eec30866e7
SHA512 2fce936da381baa8a6f246bac09863e27236498a37277f27f216aedb2b12884cb9338ee03ef1f42909b59aeedfa034463b35dd641c2eac85b44a794e405f345b

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 e413e6789340bd5cbcaba17d4f962caa
SHA1 de60446f015faf47395145ac2487b530467f5b55
SHA256 3ab441adf75ef76e2aaea56587726620540b602301c25dea615a444f2230c4b0
SHA512 bbe5f4faaa0c6d39ff801b3d879ff17c1063b64d80f55f449a5f2cb2b3a22e33b1848dacb2a8e334609ae2fa450b6acad5732b6472bcfab6db284b313c4f04fb

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 4d5c1d590b4569e74175d569eff4af0e
SHA1 23455962b13cc5f03ccb0f7cba7f8c726320d163
SHA256 dd4170263d64702a4933179adfd6905211f9ae08699b744fe0cbd3d3c8bd8560
SHA512 09dd53f76b9f72d72c370cc433d267bf2c4792c2e674d5603e9e330fbc1f4d7c710b4e9e2408a7f7e57ac9ff2efddfa9f0f4f32194e82f9348b08fb94f50ad56

C:\Program Files\7-Zip\7z.dll.tmp

MD5 2f99e30776b2075e588c4a4cd9c68b6a
SHA1 a65cfbca7edf6e7cef5ce3a316e5d5cb1499ea17
SHA256 67155eb064d8ace10d5b51dc407b0177d1c954018b25b6d88a6cbd9ae3b4f9bc
SHA512 c24d7483c6c9a029db9ee4c5b1d1ee81eb0876402ab8b5cf1ae2da12a1001d6a5cb1417c5287843b902df19b0e5d25ef723a9bed6ec0523662cc00c4002be60b

C:\Program Files\7-Zip\7z.exe.tmp

MD5 7a7c923eacdf291064e188bb92f4a52a
SHA1 b76143797ac4cddccdfac8c8db1881d04a03813e
SHA256 57be0dbbc9e9f672fc8667d9d6d84039d7ea982a66ab10b65f752684775a2a13
SHA512 30e98f09811a57541c4a9836124fbcefb58cc4a7d1781d4ae0cc228e6b11e5b8461fa703c28992e26fcdb5d1990e405ded2b82fca396d404495b6ab80514558e

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 5bbe27a0df1969d779b019db1ca255ff
SHA1 fa0e06aba09b65b901578c777fdce368aa83d0e8
SHA256 f3fe0af4294ad9b94347a2dd186e8ad2b08529cc5dbe68c1af1f3274d25d3810
SHA512 12273dcc03149b5eb96ce7644798d7eb7aaedc94ec7275e882bef043a2602fd623a70cefa4bcdab058cb7efbcf9270f4a81a794a7918aa308aba8c8856560705

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 fa2ec625c33546f6c75cf21bf6d49eb1
SHA1 917d814112a35b954a9292d9014e7aee952e866b
SHA256 cfd6508cb4b176870b5b0056473f4017f0f4f855794f0be10301d5028221f692
SHA512 eae904c23468f30af5b484e2c568762e16fccfa52a9423b4af24ff245b7d0224b892fca4014203d6fe4dcb36d4e710f1d652f8cc2cb8b34746b030958db11cac

C:\Program Files\7-Zip\7zG.exe

MD5 741623ce1c144839de1f0ce5b299e5b2
SHA1 4eeb5b2eb8de4f0313408e87060d92202936171b
SHA256 86f584e4fd36008351c64544ff8d7ed22ca652071b2704532db261853387f1f5
SHA512 7dbaacc870a1046ba6af73a4c250b88640dc682cb13f07d718303e3df01ad4bbdf8b45c5717fc39f545821f19a55735337b955b8800da9baf2b6094bd27ba110

C:\Program Files\7-Zip\descript.ion.tmp

MD5 b6316d22c0e50724809840ea173731cd
SHA1 0d1ce124fd03ae28cc2fdf79c10bc864af5cf8a2
SHA256 d700c313709e507c35ace72d07d0913dd4db4b968ba8d3c035a3633c83a872b7
SHA512 2f72870be5168087b356ac8f62f5ba7855818f6ef754d50f99db79ee15770e526bb19154104e11a8388db3192e5c364c3e27ac4e15edb0d51734554b73c45b91

C:\Program Files\7-Zip\History.txt.tmp

MD5 9abe1bf9e14775cf08808b13d35de367
SHA1 520cea54fc5ea5b4c9bdefad431f80f08ae22c50
SHA256 2eeef6a15ab24c154a525c2be63b894abde5a57fed772f565b3c18e126e1bb78
SHA512 cf05159f1af2cdded84ee140a7b9128d88e8d811948c0ff8bdacbf9cc0e5f5caec481b40c115e2d518a640ea6bbf3c9facecfe709d209a3d3c6ff0a097f73c9d

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 528b1d3de38d0e22f3bf333421f8db76
SHA1 bb9c3d5792d4f84355a3654f79a5e72ffd2b5fa1
SHA256 552a60d56c56505f57b7c191a216b28a7127ffb9c3189fc188c3e9d35c7689c3
SHA512 ce38be7f764bbf91ecc3f2a525ccfb71226e8b004bbafeae362dd040d3bc8574c4598655393e3db031bf160aa9944ee62176a0620fbfd42983d0e98443a6c4bf

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 a4ced0ada98d58545f0ce906defb3ec7
SHA1 118665af0af91ebebc57b650905f2475ed73ef3d
SHA256 0fe0411abfed2afe5a2820f789b5526609aeb7b488e5c29d8048e7fc07059afe
SHA512 6aae9ddb6e029ebd73cf532f947903c75f3c47aa332946b1a8ef2a2c15169f4278b021db9b8572f5f60f02a6d089c2b58a8c2c466b6d6f9c48bcd4ffb86fc144

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 f77904b1e2b3a7782e7a462e19e2c86c
SHA1 6bf29bf281c2fbeba4abb69c3ea91bddfa02bc6f
SHA256 5d0523a1bbbd9bd31aadbb53ab653b7e87bace7421dfc3f8f3dc39b80c013378
SHA512 2143ce4fdf18c5fe6f081275655ff8a4a5871db9a2b30b43d78fed3e49ac4918633667ef24147d619ebc817ee9d373d71f5e5c105d01296b7c92825f0af185e1

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 d946dca7e7e9588772d7de5e3c8f6faa
SHA1 2ba4e08cf1902b736975cd3788689507cf37b360
SHA256 0088d01fe3e8774daebbdf21761f1b00fb19e718f5f94c9817a9ac2daa93fcc7
SHA512 381e09307341e65f49deedfaf498886dffb72f51b566e682c43163f74b7654e31fbf11a00f7487b5f7a275df37cf500a621be610d87a8172356d3f9bf35c9a7b

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 d5bda6d390b783127035a5ed8ca574f9
SHA1 312d76a6cb6fa87c6794d6fc2cef02412b6fffe7
SHA256 bbeac972da64ebea5535917e898cc576a0bb668fb4124d73a658d8ee6976f701
SHA512 100bdf74b24b3700a347eeb360dcc07d033ce4e3b88311438567bac89ea1322e8fbc66338ea0774f74b9d56c831025edbc0f046ccf42fa79a1e7b0adf689c508

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 447171f35978b1ba98c3d33fef8471b2
SHA1 cde00810d5316ea6bc6bf91ff8c5cc0d21814d2b
SHA256 8123744f0eaaba76578816d98881344979bfbe8284555998d4407a30a1973285
SHA512 30dcfc81738553976a6b22aaf25f6e9404ddf6e32f01e1c1cde2107f3a2eefd9abcbc2984b87e2f31e683959253cfce6969711c8aeecfb5ddd8165435ced902f

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 78ecec33494826560a382de2ca36d34e
SHA1 b6e22ae213323ce884250ad30f4230a3ccafdf59
SHA256 5d3eedbdeec2291b405e0b68de5144888e522276330baaedf6c4bb9975fd33fe
SHA512 841a5e84a38aa566ebe7fd8817a76c0a1b9ee92a2a9239344067128bd1f71e42e0631b2968d6f2affc812c86a4c5c2d9f5e05fb1f81630b6bb2006f1068d228d

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 5f2367a0476710924d710eddfb9cc414
SHA1 1b43b2be7b18d36c803a93077bd1bd1a37360db0
SHA256 6e5de233ec72a5b68a73e2dc305866a9cea72e98717a39a165fc99485bf69e1f
SHA512 eed14aa7f6625ebb9b221de684c06122ec3b0a888a1c75e423a74f1205429ba0a39ee1fd5f825037f2423eb418d64bc772c9c2f9d9994e6c2f25a32593b4b4bf

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 2ca3e45b76862d6446535c3a9cbffc5a
SHA1 444755f6e4577ee203dfd36ea63ab4a1ded12c00
SHA256 9ca84488a4327854c1a63bae306b3bab3eead239d2772b133b533ecb15be6f9d
SHA512 73bbd21084eb5b7ae280f485b0f7dfbfdf8d54d1058bf39b3804891bf0ee0334cd4d6e4fd03eb39ac9ef48a105254c3a328c9997aa4909aad2ec0d7ec59856e8

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 f3d72adbbac335c54184da19d5d3986d
SHA1 6e82bca5a7ca7e85578715bc7228b66fc3afb68b
SHA256 ac4bd9300aa1bb1c5cf5dd4996d0a8a6a75f9f816d1f8bbcc59efdff2ee5545c
SHA512 839715facd3ca6fc45c583f3f385b1b5892d5276e0b3eadb094b587508299286c2135aed7ae20a2900296c01c4a14db59aaaf3ae100d02b2d2baa46e66273595

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 98dbfc3c5eeb47ee5bfb1c4d9997d850
SHA1 68dab1bdbf099a8179a06483cbbebb1d9a396e03
SHA256 21af1ee7271a1a0886947375e82b54b2b17d4f6e57f8202b95e075c450d46d07
SHA512 5439e5b415631236edebdc2256a24a164877368f429d7b44ccd9c478c779e4cc7b63bb39cd50a47bc581fe3ba1fe1af2239287ab2cce6cd0252865d0dc161dbb

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 2df01416258b7d64bd9e13f780e67b38
SHA1 721a06e9d4766026aac69e4a2eba6ef29e701d00
SHA256 b3b269c35236b8a8e07aea1bf43af5fcd01457d072b7046c480cf2c0eb0c2ce3
SHA512 13e242130835104c63d4fd7e0ca83098538211504127a6399c9a498481798fae99b4ccf331b83fcdae3d6a7f41f296ac97ef7b000e2da87ea8be334213975916

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 a802573e1e3148a74da3bb0d0f273c27
SHA1 a53d980720b18c52918c88a05f5bd32d36ab510a
SHA256 c88b2c3c8ddababd0f4c64b75235a6ddc95d4356f6da7a8ce525c1db9d040c13
SHA512 a07ed23b5637072c08c303be465b1b103b069b27f01fcbd4e8b590d255f61023e83ba857aaf093a24612d0994f31008aaf62211e757338e7f516f10b4f5b6f1d

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 55f12239ba69919bcf673807320b35f5
SHA1 ac4f74c081a6807a954f7633e8e4ef96b1a0857e
SHA256 7f0aa51b1b94dcc3ed4f64c86bf86376b605f82e681c95dd734cae5a06733ccf
SHA512 7aac5e3fbdaea00b57cf44317ceb633ec6fe89f48ae2eff57c3d1a1045844f245e24f2637fc7302571d480d05d1bba7a51c9d49976f3b7dcf098bb7713a9cf00

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 a57a104b9f801b65e0b708eeac70407c
SHA1 6c9f835b161f15471b07d58b68e982aa8593ba66
SHA256 c2c15fa84de1123207d832743d9d5fbf74a74ac8ea43482821b4231386b6237a
SHA512 84cebece82a1dc3783bb922e08e634c18167c5ec4cf2c38e02ce9c36ca9bda1f9874b0df8a744c3643f298c6ac74c78638187202fe8942606933fed5eecead53

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 d27d75169045171a957115d6df0429cb
SHA1 297f9348768279a11c0c0293562d9f25a6bcf8a4
SHA256 e6c990d6cb3ba473d050a338ecb208eb996877881130a8ca3bd4547d07592344
SHA512 3d24c4f797db66b96a6df51586a49d2be4cc8b042b0af49c28eb5c5dfae963acbe40748bc942227f2bb753f254bcbc90a507615bc5e610226f2f2148e4322071

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 4aa1d410f20ffe9d40e499540cbc08cc
SHA1 4a952e4b4cbc94937eb0c82d2d85a6c18a903a89
SHA256 15a0a9ffefc312d3f5422fe5e0486af3ffde4400c15146b529b2581abcc70912
SHA512 92cbf30b829f22f4a9df8523cde8a110cb0760434ad4bcd517485c33b4500ee9b36f768dee42ac708b22a9face3963ba51d3f60071538d1070371a3bf2ae3f56

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 dfb8af05b7b79584145bd4def78b97ab
SHA1 359f38c3cc5a4665efc2a8da7fd8ebd988916e23
SHA256 9c5b0c579d8ddb34f890a30d7fac0bc7dbd377604d5b5c0cac1652f029405cba
SHA512 b5eccbc7f0943921be61bd51c4fc97ae9ad16e6327d5e0eadf023cb3917463fe95aa08ecae30e698556fb6b609f0d61372e56f8c54e9d841f5c7e9e622792762

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 fd21544160ae76698cc95ddcc955f837
SHA1 9bc7b8223a0aec614186aab7dd75dae760520502
SHA256 df1525ed9f53f1d30fc0ee45c6ad24501bb95a8b8db45a69c1d54e9dcda35d32
SHA512 8ac0135e3c3e63925606a014089c1ebe78cbd4e074318185e701e0271c122a1a3266ca6986e87caaa98ba722091657d8c6ac383b4c9ec35233649d896f25a688

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 34293610748b5490b96ef24b6e27275b
SHA1 872b5571bf8b911d44e6133977059fe71a0ae904
SHA256 f9c1a0083c0a771c4a5f6fd981ecc0da16451709fb6b9adf5dc0883c93fd3342
SHA512 9ae6ceccbe31e9052f1ed1b69478c1cb80fcb36ceb47e8dc4a77c7e86cb5b9c4827730ef7fe6020cc19afe7d6bb931073891b2e0ad189e0a3fc1ae4eee5a2fb5

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 4ed42e21aa78f3fcadb6314fae625953
SHA1 7b7baf99babeffa99e167767f33c492d0de0f487
SHA256 175be493a08755a62236f64a8945deb614ca3584d48acf00f1bed2cf138eeab1
SHA512 d6408be42cf4025f1d2cdadfdecbd5c1a21079aaa3b211cb32993aac33d5231de78ac5cc8899ee7c3cf0416684fd2a36209bb045146ab3dbc074c945670c386b

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 b5e6bd6a21c2705eb959e44c17342525
SHA1 e31ecdd0547fc46726b221902142de66be24fc4c
SHA256 d73d2da82a9786ec0f16d9423123911a974bee1a97ff817d42f2584f5bf2d31f
SHA512 2472f43b7b3df2a879ad3e2beb8c9c4000296d42144b3c09547c710ba9e6071a7ab33e0a615d360be1223e2e62e1ddc012326f83c376e69c138b31c1411f9e61

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 86bc06ed2f57a2621f7157e1e4aa58b4
SHA1 b5eabed7016f88641e43f3316ecf71871c66c685
SHA256 d917d040bbb74bbc9431b3d65205f680a7292955c223236f5a895838b8d0a4fe
SHA512 6fd90b6b7f58bb7654130c47d899e4c82a7ae14a377201fc1e71e278377fd43cf80514f536752d5d1318853fc2d5685ea6221c02223e2f6a6b0bf1de3bbab20c

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 5177fd55af8f54ab01ba816015732277
SHA1 b8a79409b93dfd13da06375d2087d1812b48e08e
SHA256 942e96d0478a93788f957e7a4c9510b9e32a484204e19611ff5725744eb7ce7a
SHA512 357208bbd7bd7157c73b4f3a2ac13bfa9f02976751b915562b3508c00367126bdc2ec40b7c846b62461cdb43e48060f2243a4a446489bbe9d30f77547da88d82

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 f581fdcd10d30c4751011f7dffcb3cfc
SHA1 6b8d0ac6c65dc93bd3965ff8636758b95971bb9f
SHA256 7c9bb18a95a9fe38d2a43f38365ee19cdea3726863f311a776da8dac32f7caf3
SHA512 473555f9eca04b2ef74acd4abfd5e508911ab24dc004a61d6e517b5cdb4ed5b5f3ad39ac3465f0cdf0d32524e137fff65d39b91a0e76858ddb420ade6ee5dcc0

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 bc13f2055b5766f591c2f9ee20fb802d
SHA1 8ab4e0a9cc0c04aa1e50e15f5143f214df00489f
SHA256 79f74e6ab111b055045d456427356c5cf5275fc49aed03f35a9483dc01bcf66c
SHA512 8d633843cdf12eb811b387218b73548542e31fc59615080c21aa91be9cacad0a3702ec1d4ca16953aa4c1f57ba9cf794304462f77e90a88a48c20440f3e59eaf

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 9e19704ae19d965f2f52ebc90c81b931
SHA1 e6100da293268d53e671441c719d8143752e4f1c
SHA256 bf6a933a9a0c3a3713584c6ba26252deb5bd51ffa9a8861aa50e2579fae88fcd
SHA512 6b5a4f58f88d6b23505a67541afc9d6fa40c00443743280125a33eff5b9988292a2a507f485294d57e30c74fd8f46c387fe54716e77f29f3ec8cba9904d0f3aa

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 a12d36aed395a6cc8b15d74edd7804dc
SHA1 7eeb50acf680c903c20fa10f5919c20999aa76fb
SHA256 a4f3d0e7eef798ff0e7a42a1843ef02d8a1e8017a2ee043e8de98267dc32a977
SHA512 a2bd40a0774611aa66f4322a8f18147799230cd2484d311c851288a90275c6182a348935606133501b46d5de0be6e1f815dfb526461d7a6494595a364fcd2347

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 443cc3061b4f6dcc2e9d0db0e495b812
SHA1 f807e5cb36d6db2ec3cb06269bca3e31d1a25006
SHA256 201a26752525a7d958d051a4984aaac596b85cb88fccff89e4e7d91c437f7d8a
SHA512 06e7bbfdba8b61cb9e54a9b1d80cbd51c90a24c3375f393503d1f9ef68d6b7674d1aec9503f914ea16d98abc80267f315daa8b8f6dd97b4f8649201095d61657

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 1a0f9b33d7ed5faf23e535a89274534a
SHA1 a74155198fadb2d305b167b79686216d0cf03f02
SHA256 9dcc9f7ccad0747498c99efa980a7a257963890a78f2893bef43649796799e94
SHA512 aa642b92610ca3bc1e07621885cb69e95cf873d73b46d464b914510181e7b2d3c2ef535cb41f67351555447b072c3b48978ff99dc9649f6983ebe9eb74ef81d0

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 d07d7e35483e6b7ec7a90d91d67b0d2f
SHA1 6af1cefac37aac98628aff5ed0b258328df35e65
SHA256 b32a060d661efedd0ee6dea46a7ab03f13081e6698aaed2a307a17ab4a3ec8c0
SHA512 7b1e3c13bd76fe7415e6d36557eee5cdcc20614bcd5f0b9b8ecac23d5e6bf14dae15a18d83e4a67857c698466c0e636734e643641241e5864db4d8b942e7f891

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 9c1729a9697050be9b9e7a45897c5d58
SHA1 0f55752f782f18c7a0f3ec552fd886141c9a4870
SHA256 ff7d6a941c67a8fbd964216e6096b951d6c22fafad8e5f4fb767f721f7cfd32c
SHA512 7941caee0cb5f16f83ee9770fb26df3a911b6d5e8e0748e0351378f5d20c5e174f326acbdb286edd8cd50ce16e038728fb81521f48c68e1ba444f207d843359d

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 9f6a78c91a7c00fe4eab4040c3b51b85
SHA1 ae3ee9882ae14d71b43e71a56edba9c6a7416e26
SHA256 567e9d10ad16a0ffbc8ffae80cf040d95838f10326c3f1bbb0072a4a41637447
SHA512 260dc9d5518d47cc4e893d9442ff9a93c363e049d972e5b9707c4c13dd52bed601423dbcd3ea3e057914315c0a2ed86cba922242c0d2a3cad53230fd62711c80

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 dbbea8e92928bfc92202ffcfc63b2158
SHA1 7f0270053e838daac7c5e9e601d4b6d054fc2ec9
SHA256 ec190c0dbeb7d19fba44a96742936b16726afe012f2e75932f5814f72406f78f
SHA512 d2f50dab0037b0d617649622b93e0187f13a289e6e2a2300b1c62f9268e7335965a25c82520d4ce0693f35fcc55ed8575dbde2327077541cdda43dd1a0148788

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 ed232a276118e3e1ccaf149dd5c74cdc
SHA1 781334f9f8ae5ec516ba2960a5919389190801c9
SHA256 12cb703823469c18a9132d8f2b0a140cea79f6b7d1247ac2adb8312a108d8b5b
SHA512 7ee4762bc1021111354ea18fb4ffbf118e8895c36a4fd61746e920bf82a9b246a79c5e9c214cc4d59bb71fc1200d203c0a9eaa87421b88d7b9c9a81555d3e28d

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 11ecc8b631487fc9654dc02209bfbdb7
SHA1 c78cc7853f53eff571a85d7a81101f3f591db2ce
SHA256 12fc0e112448b50114c88a71979808b2b549828bb551d697658b461071534658
SHA512 8053674aaedcec5eb0c7d9d744167b298ccfb714bc388b24639445e3d59a5fed690a5cec4b04c1696a0050caf67192ea78f88dfad02fca33b4d411a586f8a2a6

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 ad73d56f5ad10aaab17e13ce88fe1f55
SHA1 d01926b4786bb6ecafc76a844432d2ed03c11ab6
SHA256 d7d7423c77878d87038c9c215011d6734f20ae5818e49b1ff82c842a6e0e6cd3
SHA512 ea5dcdaafbac36765c443f36db5ba9d0f561e01f0e0d8c9dbc2b2950a87267f23c861e9fcac4a25ccecd22bee38a96a07f6f4316be9f62788cf0d141b8e90116

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 2c2a945f7426b9e26dd4103eb0efb7d4
SHA1 9f2a11e539054685bfb6121d2e64868ec572d0f0
SHA256 b692f0579919978e3f96ff7838c2018430b08d1456cb9f958fd356132494c2e5
SHA512 b7c180e51c2b855a58d75ad63e49a1e471938da3e480b2c844efbbaca4353b7d26389ed07f0b7867cc2b4cac5565d5ac37d5112f661fc5c4255de77ecc77cafa

C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp

MD5 a941e26a83fd813bfb701adc277e9ca4
SHA1 e96d2051bb2b4c0fa8fe2552a3888ae1815d5b7f
SHA256 a3b198fc5ef2f48240ff3d63b3a9d78902af1f50e9b7408f89c7680b1afa1625
SHA512 5ead5f04dc9725d78ce788e7fc19e58e12b0045d7c85310c260ee6f988be98aef62ab203aa83d645ff2345db5080a5838928921f7f09ff973e383cb7b518d489

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 02:43

Reported

2024-06-08 02:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe"

Signatures

Renames multiple (4763) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Minsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\WMPMediaSharing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Internet Explorer\ieproxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\UCT.exe.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_12283.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84ca8d87648fa37a0b9d415bd0f76050_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_12283.exe

"_12283.exe"

Network

N/A

Files

memory/2696-0-0x0000000000400000-0x000000000040A000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 0d5f859ddd73c17e3b349e0713b5a57b
SHA1 3b53e63ee4fe19730f02434da25d04e1a7cec784
SHA256 353d6ae3d9f198457ed35aca4c4782b15e953611eb2e5fa74452a22f370a8ec9
SHA512 89c88c39b4e53b039841966793095115acfaea12738a43f130a0aaeb080945d7881eacdff75a86b535adecd95aadab551e8cecd5f1a3d20b225df3a778e3cf40

\Users\Admin\AppData\Local\Temp\_12283.exe

MD5 63dd1a7daa07143c6cf9fe208adf9d5b
SHA1 7778c6328cce9b0cb56dff28ce37b784d25f6e86
SHA256 1c0b46a3fbe6e7a37588394c0f16c1a1e361e99336f21ca43d316615b6c65df4
SHA512 8eaa717903a3a836a268a1fbe04ddf92705f9838b3ad7495c188632c754a5fd7c2f2f32cb72419746b7c2ecafc0d3479d469c10ac16b9916e8caadef7166acde

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp

MD5 73ad23626f4c6bf701053425bf7d6bc0
SHA1 5ae8a2d875ffbd0bb1b260b9f675af4ba7c53fc0
SHA256 1f6dc295d741c4c48736c7f26abff539d7eb5d471e52563a300cd0ccf07efa27
SHA512 aac101ef70a60e4f5c2e5386b5ddf610cafc2db13d0751f444b6275179f78184b3776d6768dc58cd39e345e15cce7817a1e8078ef1919f76c3819e59c829c659

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp

MD5 4687fbff31ffca67de3fee3dd57954d0
SHA1 8bb4d4825d2fe09c51b16910b8e622196b3a4a5d
SHA256 4887b9084c19455bea876862756af4b03778d38404f3fe273ae0111043df74ae
SHA512 722d9b4f2c015af03a114620c82d22f5348d92d7f01bb154bca512a01f78b404dda4f8038b09704949c8e237292880000e62034ac7cf72938ec6aee92b28cdfb

memory/2696-21-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2184-20-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2696-19-0x00000000003C0000-0x00000000003CA000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d0d919922ffdff33b20f58cdf78447d9
SHA1 ffda4e0aec974367df466b1837dc82d140eaabd6
SHA256 89bc89a2c7011e4976a64cf8c38521cbf4bebb1b82996bcf549ba834561da4e9
SHA512 9cf8c456480d07afb37435a901cbdfa03d706be6d2a55a6c7146d5f59a1a2f1e1063cfc68ef614feb5bf2d93f479db55908bd3c669eff05ae047423d801c7756

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 206158d79ecabf5f05c13936d51bccbe
SHA1 005102c119452d94f86762dd3b40a21d5ed89ed5
SHA256 e95a5288f5cb7bcf4e5ee81fc4a64a7066d8d65d3ea7b1b231926697a2cc5c2a
SHA512 35caa71c446c6df549805b8d8d3947a0e7475a3e547833d0e8331c022ce29f5ba362a3ad9ec190aa9576e353af1e20ff9b3fed9f220e92b50336ff229a8ec96e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 557a8d6feac9712f39caf81a8b96edf3
SHA1 8439278eba8a99cd475eacdace74416470fa8b0b
SHA256 37b849bf41f331bce2455d75b8717917bd5beb74a3156f19146f91e0ba62d10a
SHA512 1534d06f734234dd59d9efa77e22e68bbbb167e8b01b9cbb4f91504934c53268a7675bd39943837b0d7e93bfdda883a83db9fa2e05d3b24c66f63f9b62745fd0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 8f15a30e1bb307fd3ce6191079cdface
SHA1 3a728a5f5c4ac98a62e9c066a0fa3d063e5aa184
SHA256 857d03fefacdab1b78fb501c86254a9ae73ccf4c83438d9ba0d4dfacca5c703f
SHA512 ab2cec077a5fec3b2cf76a5cc090d25ae58c7a9d498b808f0c99741585c5ce37e49c7123891af0bd80848f3537765786c3c36a5e0a596607b3247c223d20e0d2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 5fa13ed0dc93d424802655cab8d8eb79
SHA1 0fc11f85abfe793f072cd018a079ad20607c3f81
SHA256 8b3dc8526cd834db0f5e5f42ebda2e615b753a8328b6fdb55675ebfd94019e8b
SHA512 5ca5180d7fd79d99c65fd0f6d47eeaad10d8f618086cea529b9def881415462fcdad8f6295330999b05f2d32513fc20db64eb77540e40c439feb636734ee6369

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 964916367ca18e17225b9aa5374ea57e
SHA1 66408c202eb3ddc69c2ba74d545cf120ec1e4449
SHA256 afd125f20457855f8132c8bde9fbfc1604a0ab9db91cd2581d8574c09ff546b2
SHA512 a80ddae10ee8c27bd4fa28331df6796f50f2be86e2fd799c519dd73d578de958cbd80e2b6c0356aecc4e45b11243bd8bbba6ef645475a0db07d5ac933c34d0ad

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 025f5b332123117b614c28b9346218c8
SHA1 4032a33f2477865ecccb1e5fcb03c33bfeb13b94
SHA256 d51723fec10218ae6f2d1cf4bafdeddac7ddf72967a0c295a638f6a530b1e280
SHA512 bcfea9b524ad7dc9f4a1b20c42dff520e3879ecbf0907af3f3482e7fe3c11a10a8dab8b387b20666012c87942af5213843dacfee14088f79e5655cee1b25f774

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 1d0e3c17e70636e0076efa44188517ed
SHA1 17bb6749f250bc0da5b9312dc8161935a8a1602b
SHA256 996eac39f6f8fe3e1bda1cb7607694b0b071c0a83d76d8086cb257f10a17dfd4
SHA512 e16b0c523b538a6382d23b2b6ccbd2777898235433a01260be58fafd18d9604e39fcb5be8ab46b3b7dfa216ce06824d50eec96cb0ebab5693bf06a69493ee786

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 9d818ab157675bca2670c54f1676b2a6
SHA1 ae583a3cda743af21e3b861874280458c7b90490
SHA256 ba10a277ea024c4db272450b33cdfd738517e920b914bb5914004d886b5c8477
SHA512 9222cc8632720bf2b6c51b82de5e15a8b58dfb5468627770f6e8843575e259c9a67eccdc2c9ec34e51555a276094a89401e3c32d672af4a0d819c82586a754be

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 6ae6df1b8b42848eaf3c2c939cef7c13
SHA1 8a7afd4fe5672b5f64260c39e9fc7ef8482d8d5a
SHA256 1061fde985748317219d7976fd8e1124993ed2b0479dc08c4176e6896cf96a37
SHA512 0dfa8830565a3a0a415dbf1f2bb1b748b7f317121e23145ac6a86bc9443e5fe5474ac6a219b86cca31c70aad938719a67a5beddb60933acce1d20a5b107e96a2

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 09bc9ec5d347f0322d082b83365b3b98
SHA1 4d4b652bd5bbd2525ab4fcc5410c9c0541a59252
SHA256 70e8b7104a9eb7474a3084d0c52c426e29bb49534253deb8aa619a8cb76910b7
SHA512 d3d1f7e75d42545b1e05a47a2c1604354df60b12031cc532eb6c6f388bfbfc9bbe77c4062e1dbb651fb33d98fda385e2187664e4bf7746c43f0366ad713b4217

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 8d9ce9ee6ab60cfb1d89d51a8b60a53d
SHA1 c66d7156272c08e714ee60009c47c1a5f4a83d78
SHA256 38eeec2c87bb143fc1ed438f60701f545a767f002ed03549a35d14331bc9e743
SHA512 d98e7d22eef088479d05b119c24b5c97637529214823008f426365c9da42eec1e4c4bfc3066b932b8988659a6992a42301c30e155c1b93b44ace903ad4d28c2d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 8c9d0e1404f37579c6643a8a73bcd465
SHA1 31d69bf28c1a1dbdb0505cc5050124677b1564ee
SHA256 1c4631530ced64b1e163efc1655e271af8b95656309b26ba2b3f3fb9afc5719a
SHA512 a22fa9b3d9426e49399c2044d12be49b0a31de22425c3523a640e1fe30284bd74dc4ca7833120ac80ade30ce95c3f04f8cb0dc2e0858a4fe51d676588ac617d6

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 57ce4aea409eeba4d813f47915b0cf70
SHA1 90539a4ba7961103a0df56776b6dd665eb59e909
SHA256 a9cbc36ca6924ca78a77bdc1e00ebfda52aaee85b8ba42b6707bdbe6af4218c9
SHA512 1dffdda73bcbc4a9b811fcae10f61b80500e44c6b61accc2f1bbd19db6dd91ce9370ccd84f7a357c8f2c412f245007162b22b889adcc0bc27eec2c9abb893360

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 5b860326b664d2eec4e4bc4cffefaa35
SHA1 c3e59aad6c51d7cd44838b9dc53b37b63a97f079
SHA256 9da78db1c5d72b4775804e51037eb64837aa8a7c0bab68cee69b021ec0774745
SHA512 f80dbc86c499a48d31fd1d73a8bb1085f65ed375bed39f80792da6d46eeb154c818f75dffb3a004ecdfb908642c770c53f7f6bdf6992a8e8d207b7325b0626b5

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 ea247de921365eb40568f51f97a22db5
SHA1 38649b54b7d9011f48c433dc85f870981e38a124
SHA256 207a860981350ef5226c492d226a97a094c6a87263232cfb8e8db756e775c82c
SHA512 d98723ec5cf5953fad80276edbbd9fe9344965b4b2e864e5adb887ab2c63e966e7d66b6895625881e17b80b66de05c5897103d149b12db8f8ef7e07e0b1a3774

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 d03668b7b95ea1259a3745b76a4de620
SHA1 602824c02f13fb8310192a0c2f5ed5bb3e102028
SHA256 ee14ba723a4e59d9b874206239acf8d7e035062a03f7c7da681fd74ffd7077c8
SHA512 d57a5b45fc35ab3c9e296d90fe8bf5e044f43e370c2d2638f961dd530d031c9cb551c6a9c7260d986fe086a959209e6de8ebe64c5062410c35a4c6aa5de5f3e1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 db06e396c2fe15499a319b003aae1786
SHA1 63b437ac950198fc31cec32808a454e1a43e4227
SHA256 b9ad3578dde79a707dfc51a5a6f4f867c34b06e569db1fd374864e7719e01e70
SHA512 65ea8e69e81c0e894829d1929867231074ee8d2cd5def93239a317f9a8934e4844d7cf1a0d8f34448c82b6c4e190f3daa7ae4443ce5d8f501d2d70a77124a217

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 63fbbb14d52997522616145c07f01eed
SHA1 68f9e9b6ce577a5a2070d4e0f023b074b344e679
SHA256 b1a36874836719629d9a7ba7c1e16adcb27de00da01a94484a9e95923a4a11d9
SHA512 c29119717d9f35e594e869fb58555593713fee59f1443306d545e1cff8d54a5f75456bc27dc87c95a46a40c09267c16be500f9f771425eb899755d85d22baa03

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 faff4ec2c3e221f7aff214c34bd47823
SHA1 dcdcc7aee780f6b866a0df85804c6abe9ba9f794
SHA256 80893298f4bd4a79bcd8491362f71e9f15d4b8b0f643aa656d4c5fd441ba4459
SHA512 d12af0d0af03bebb8fd9e888044b825c4b6de8cab8c8c3123e437ed43387a29e5561904bc179d0321b820f5d99ab15d2a98afe48cfd04256b6cc55a0f8f7696b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 64316a880a6c8ee4f1b1db32f355172a
SHA1 81802517c0fce365d0aafff7930dec7c785408f5
SHA256 068fcf79d59f2aee8b817eb5f9ea15b6b97ab4f0e616648e62a88f30fe40158e
SHA512 6d1f9f66bfee8a984127eb39ad3a866eb0f600d08deae8694ec22f7148ff5169d1f15ede7a86a05c46ba3271d075b02ca238e69cec8a35423e164885cfea7c8b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 bf516b2603ff70780ab5a4a1d5f891bf
SHA1 e3f6a7a44ba49c4761aa479cdaa1ea16524dbf9a
SHA256 f451b685d97d2e4976ec2b3f3b0cfb73e4202ca2c730e5d36d8f9bf70eb2419c
SHA512 144aca06e21470b8c22c75a8793f0b8c8c97245379a851313565f8b62a056c4d8c288f03c1d5768892e0a5da30931129035960d902a42bb5724297e04257ca75

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 ff3942a93747818688ce3a2a86cb7f3e
SHA1 2db8509029e70e6fd6f3a5703dd0b691190aadd6
SHA256 413ebcf07e4ac1bceb1ba955e908603983b402d0e51875d33ff3941622499b6d
SHA512 573be1ab091dad910331c022fbd50307689b431de4b67da889834b563d6aea76943924ecd6a37f9f7d8ff722e5867b98196dde91f170bb4f9d763578f2501a33

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 360ae40dd45ac7da4abf24fa6d8d9055
SHA1 d4cc7a0bf9ba9ba9fc888bf37c87fb1946588b08
SHA256 645bb104200bb7cdf8ecfab26785677308eb9cfa482216e0f49d520927730e84
SHA512 30ab4babea542eca8d73fabae71df5da8f769aa9bcb28ffc4771d0579823606a89cf2278a1ff202005aeb042952c931e83d9f94a0e0506e7c7fa5dce913e68b7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 99ae66ad35d2601facdfe497e56cd04c
SHA1 1b99d31e877653eec33eb477acab37fc673d4c47
SHA256 3eff56b1839621fa2fda5bad6ef165ec4bda7b9b68501016e0cb4cf2fb98449f
SHA512 c9f454f301101339dfca360df0db4ff96a5f7daddce1199e8541df141064bf0a5a33bf90d27d2aa028b9c72c7a3fc381ef6a0d7a3d898e15463a65ff840f8e17

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 768d3a25d9c8f2179d58eb545043733f
SHA1 de918ae364bc3e03c2e0da713520cbc3e1cbd5d2
SHA256 96580af1afc52ea6af4275bde5c0f58ef5085906298367404934bc3e10ee81b6
SHA512 914d8bb5a3f4c0da8c8f9da15ae646a5d7f7e798aae256b7d19e124e3af9ba288ecb0b6840c3ca2a121393e53c048aa23f6b7fe88c41405cbdc9d465f3113457

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 997d154a3444c4f26dbd41c90978350c
SHA1 49e2d3c23250c94c468d6d22d022df4a0dfed9e6
SHA256 7fff3cf861909a9ccc51f18c402c3efb3dc0c20c48c3040aa1f193975ea7b8c3
SHA512 c77d1d1b8e121c5f52b0d93dd5847e478c42eddad2ce7af99b28d38443ecbd3e75d4322e20dbabb224289913c98ce463f21c7a3a92b3c466161621362597ffe6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 3b99d0648f1715eef504f93182400fe8
SHA1 0c91e6483225f388e3a530a020c068adb07ae26d
SHA256 f731de457af5065366ed8eb484dfcb4c719f12d1b21e565a2624567b0e0d26c8
SHA512 674c44ad582191f17827833517fb0a3abe06d566491c074bc12d0b759b4f49c17986ea23b75371469efabfaba133e8fb7408d30fe47455663cd4ce1d6c83e27d

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 c81b10f0fe6aba6ecd56cc0fb28c4f61
SHA1 1f18c5616797da829729b69374f22eca3d883dfb
SHA256 6c8293ac14f51e5282838faed0f8d5157e4e07477d0860f5edaf1edc08099ca4
SHA512 711857a6363323f78cda7e81fdcfeb328e517282045f01db2d0e851f01b82ff998a4c23604683e3fcdfbb0225de8a377fbb5c6c8dca43712f43f1d8c7e19b967

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 b7df7fd32c1aa63979b69a4814ea406f
SHA1 e677607f45d17c17762727eb5e95eb9f9015bdd0
SHA256 dab4413258cbc9cc1b9820dbe09ffed8c96e86d8856a5a8e4df3b340c9e23c80
SHA512 b84ba2be95a674b419352125d126b88719d316991c5aa0b29900708c01ff3fa5ee0d175da29e294b526c371a4e38c096321950c4bb44e7ebd14f2f4e51412ce9

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 95131304f108fa835f4ed11b690018ef
SHA1 7f63fa3f7c13cbcd14af2d7ea2ce42505dca53bf
SHA256 95cbc33b91f6234a7cdc67561bddc7a07042d07d2c24b36b089a4693c34db062
SHA512 d9821449a38bed84813c447c0259bc018f3e042ee7b61f28f7bb2384510f92078057a65110d2437c77dd48d6d3ffc9472731be05f56eb07e6a8ce91fcb26a727

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 7a7f4c735a91f40cc2a4fa7baf83c2a4
SHA1 43680cd6637a4f11d5b34360468588cec51303c8
SHA256 079ece2649094bec023833fbf5cbaf4a50453994238d0fcd5822c14836560f79
SHA512 cbaa9d79da36d5fdf5608bf73d9198114b9c3cf0cf9b069eacd56579fc8d5e63202bfbc01a145e6ffec0449fa601f89c709186d75c2d448ab6ce3bcf654c5c36

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 798bdc15114d68daa5247dffb9c2e7c0
SHA1 b0cc145774fbcac2b04809adf4fc1007daa2dc43
SHA256 1a32732a3fbe8d43634e436189af002eb79b45e6293ed2c55a0f66913c38a287
SHA512 d83dc1fcbda137d769e40ff4921d94ee693f318fc36ef73b155bdc127ef60cb6ca9fb604d8c04698b00e24d4b0abf6467cbaa514f61d191e7c39b3e7976416df

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 456c3cb59ae2505f128b8b93c6fcad98
SHA1 aa56098380e30077dbb7fa52623865b3eff8e71a
SHA256 b69bf7a820e6d7d03978ab26c8f7be6101d5ac3bd72200430a427b30752e9243
SHA512 29b87e13fb641ec94e7aadd3703d13bac1a50c63f85538b7281eef17cacab618fe4118744b85e960ef4db9cc0d513d1ac2df2e74b789afe488fdd72bade60a20

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 fdd3c613f5508a86c8e0abf5da5734a1
SHA1 32e44de1bc8a6f249e1560a9be24c04c748fd42c
SHA256 70b3ba7d4a84e9f9a214d0f22c736bf722663dbd12e5b5daef9c03995f13ab8c
SHA512 4581853265b45a99c8109d3726d738d367c92037afa2105ac95d2e531b5dc83bb5cada64863d1ab7bf8f1a93717d2634be743702b057bee7887c8aee7d6c5923

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 63192721ebe1d4adc4800f8f96b690e7
SHA1 6edc8c035713f93862f15de7f8851ce42ceb2371
SHA256 cb22bfedd1791fb82ad6bad8f37ec308b94d5c992a924a038a00e2d969cff7fe
SHA512 462439adec404ca59a06ba30e80e5b4eb9fc3a4a44a999568186e8b29944fb35f8f5bef42448280e93d99055c6c1b40c12923005a71809e09786c043c81cee66

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 50e51d4507294448296a1fc2b0a2fb80
SHA1 5d79801a39d46829bb0663588db59956e5e2007f
SHA256 ef4e4f15025016761ea59fc67e168522af6c356727fc638d46fab71d34b0031e
SHA512 62fb394f2b20106dd4d6801b866707796566bf316528ae8ac1c2dad67e25c140143a3d72c9eeb1d1c4559232055afaa879449e6950bd3b0f5b271673bc841c0d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 2bb23060ef81bffa63b71a524600baf7
SHA1 744157b9dc4a89c746a382d723125bb38cd7743b
SHA256 7c5b99341d8b767758a631552ff3ebae94974e2b8421a55bae72fd182eed5da5
SHA512 fd3686948896f14d9a0a0eaf348f8fe1f81c2f34bfc10b1506d36286f0fa8c55efe5c4107153e3468731c7d9dbd65d4acdf17256876fc723989899a2908f32da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 66eaa83ca70399be1a8af3c7ed576d57
SHA1 06f24b9bc8763dae9621c37dc34100436f79d000
SHA256 6d66e55ed8be21ca558ec7563065f0ac0a8b14d5bb9e485009652010acbe4688
SHA512 7bc3039a4893c9c29a727cc54e0ba8d83eca8b6a4ae6f6e82a89be60582c8815443aa5cc6988d60335179fcc613ec3761145079c97cdc20bdde6665174102a79

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 3ebe27b043120a8a4ad1b0b3bb68c119
SHA1 0befd729500001e3d228dd06130da48ec560cb02
SHA256 e09cf168b0f2432a01c7a5958c0fdc66713ad02340c257d4c5e639c379453fa6
SHA512 b6b7e555f61cf9ea600bbcda0216e1bf73accabbde14c840d1f3947e0a0a9e70a48dc32296b68d6be061afe10c0eec5353603104daa0f442349818614e1ef086

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 0508a9b0a2e53d3eb72ac66a344d5915
SHA1 33ae9540a4be56abfd84979b2ba6afd676994972
SHA256 3995959a45dce9bfcb3e6598f3844ff81f9ffd6314d2709883d62834ba559436
SHA512 198f73306c2f5d5d620bd39f01407c7df0e13d1b79528dd5aedca4baeecee830537b7ff926ce8a57ba850af7a9c7fd0a20afd7eb0bb078330bf6785e3258a008

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 ecc81c9242d9bc28b0ef7fae43697b29
SHA1 a972cdc91227323a369331cbdd2b5d11669ff729
SHA256 fb868f36f932c2b8b4f4890b2ec9311a7d7f78adb3b95db973bb1c1c62b77c00
SHA512 3004297bb84d5bc51717f08c93dcb19ea217cd534d73eb3a00298f7390f9c9448e741193de44bd1cdbc31323b921b87ade4cd45bc677e8ace7b033b65485876f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 0be8c577dd0e699fc3c4c1740dda3319
SHA1 309c18c0b89f43e659ddd61d92bd3a24b5854fa8
SHA256 202ecf5b3b95e9de5806d72039005bf7b9d17445dbfd710dc143f8c80a02aa5c
SHA512 7d2137076a7f3bb7709e32ceeb74c44e1dc760ef892cb6319fdf57d010217974e23fbefa27b39d5fcd3b5952bcbd768199298d98e2b70adc633d895e596ab438

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 b1ea2ce817da64aed69b585110a446ca
SHA1 6424081eb14644f2240c80579936fdcd91cb6bf3
SHA256 f7f40355fa7c1422d2ac725c3b9db6796ace4928211c660b9f978757e4ef2aa7
SHA512 bbb5373fd82c250ed80fbca86c7b8e6bc629a23a09c50681e5ef3a1b700cad6c7e3e48d6859cc0c74b390af2c298a102fcfd6d000fe27325634a82d3687a008b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 a87916f12b5b619b85a2b5449bf34e40
SHA1 20d165b97f2ecb27e6ae3014fb4e1497123a572c
SHA256 1743e5800c699fb3038f342a881c82737f6e32bedcc6844299ed334372d9d7d7
SHA512 7c08edb4c265678291c4540aceb26aa539b27fc031541fe6b5a23eda6910acbc34bbf923c68cd2455fb777945f55cf96e19c1a86e4227b6db1ccfbf34fd30b3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 3d1a0e32a6afc5e4dada71d2e66b99b5
SHA1 1dab190c2e2702e3bb875d1fc1522c36c71717d4
SHA256 ec1b06b3feea0deb7bba0cb8e69ee46033d6dfca4718a73a43c7104e795701e6
SHA512 599ce0d30f4305e4aca2601571eb5f73d83eddd904a7be4f97cdcebd7a64ea85746cfa0429d59e77b85971c1e65b90ed1c3967b85bad9efd1c4283bb694d317b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 3b11cb4e7bfff575de22d99b7405910e
SHA1 cdc6bfcd6de8f990c53c6a14e83b9b335513b867
SHA256 c09ee2b25d27c7e17dca58c6560ccdaced2ce1fb4ff768e59ccb31fec7f2dc26
SHA512 bf40716e2a79340007e62e70ca8911ec8fa8be70d8eadf4bdada520424251121e8d099135a93769000c98af4f7e40c8f8629f196294acf93a60be08330e62320

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 c350d5fbbe80da6164f75ddf80d12bf9
SHA1 7a207cdffff34ae771353b0ed6cfa4fd61293a32
SHA256 503b6266c5ccf3b2915a5c3e7d49795079f202aa8a0e719847bb0fd7b170250d
SHA512 dfd3e26b7ff2d569d5bb3f216d4924a965e17c40b1bcec27864e87b9c54b791e3efa1a588d61bedf86f6bba823e3d78da13be7dbb438196d790bdf5730e38eed

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 471dd465b3c3275cd3a3fedec0486fd5
SHA1 4ac524e412e9d3e8ae74ec9418df145ee9baea43
SHA256 f2c43ac933199f84544a49927e804eb4eefff2ba83513c9bcf74776b05a5f91d
SHA512 10d2342da9fbe0297fb864b98040c29a675c538a236235417d2d305e46ed9db7176698d598e660c9e71592fc15fd92c477afafc3b42ab4d308913dcf521a525f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 878e994e2ec704b72c5ee69cab31c991
SHA1 65113b27ca018ab6a451cbfcf89b1fdc8d8f6f6e
SHA256 38380d7445d693a9073ae99cfce73fb6135b16c21491ed56e8aadd20335401f7
SHA512 7e813bc1a21cc3f41bb17407a8080cd072ccac297377b46a53a332280cf646e84efb33e49552acec0297909fc87352f5f70b187d97c92c6eec2d339fdeaeb878

memory/2696-1118-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2696-1117-0x00000000003C0000-0x00000000003CA000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll.tmp

MD5 f6d7391896bdc9cfb4987c2658c4bb7f
SHA1 afd6b159133cef8567ecf8d4699c88c8aa0d10eb
SHA256 51568dffb9fa18fed3a2e483df785890dfd1b042d4a771b31003084b9688922f
SHA512 379993217017edf688a3acdde79c1f1eaf35a24556eb5b24d61c4320412a2929dd7bbe6e8ab1e4fb3eabdcb29c2a16c907324f91548d6266abc835b9e9855cb9