Malware Analysis Report

2025-06-16 03:34

Sample ID 240608-f9789ahd9w
Target 909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe
SHA256 747bfae197fac60e6c710412f9ab8314637e082859490c87ade8a449a449ef41
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

747bfae197fac60e6c710412f9ab8314637e082859490c87ade8a449a449ef41

Threat Level: Likely malicious

The file 909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5332) files with added filename extension

Renames multiple (6210) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 05:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 05:35

Reported

2024-06-08 05:37

Platform

win7-20240220-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe"

Signatures

Renames multiple (6210) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\LICENSE.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\fr-FR\Sidebar.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jre7\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe
PID 2172 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2172 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2172 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2172 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe

"_Check For Updates.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe

MD5 f469b7354490a607b07883db0f43b7c4
SHA1 8bcfd245a5655fe8d836ecc774496b7c6969419b
SHA256 d7f2b6d26f293a5c298f03839fc6f7efa4815807526608cb16ad1cd867892359
SHA512 d121802ecd657227fc67d46d44a336fbcee67e9eaa99a2c7ad9886f4603bcea71918cd99ebc4513def1b86aa2f8210ad7942f4097cd93f87b45144e67f0577aa

\Windows\SysWOW64\Zombie.exe

MD5 452aad9d34884c3bb6f937506a6da106
SHA1 38d18b8f9e184c7cfead2b540918df505badd3af
SHA256 f7bab11c2deeaf4c2c8c22ad76a1ab2eaebe0ce2bef16867e2b2c573062b2439
SHA512 15ca280a5ca7773bb0e0195b6580b719eeff75ad39b876cfd37d42d07053703524693396e6e3174c1cdbe551fd578270939b633a6362f1ab1eeba25e4ecc3ec3

memory/2172-17-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2900-16-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp

MD5 ce7936543e3a624465cb3f6d86442e1a
SHA1 3301a92cd6c4cc69ea441e0e598b8305bcdeed2e
SHA256 8b5cc93c8780ff62b54298ab8066d22efcc4cbe38163a17751f466c953ff977f
SHA512 2516f9aaf74c298ce9bb7587141ed552c490249c8da0950a8230fdba80641f0b364cc2dfdc96345695b08b07b3dfd5bd530869cd86c7c05d2aee0a1b5ae67b26

memory/2900-35-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2900-34-0x0000000000020000-0x0000000000028000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp

MD5 7018100f105f6c00f3a1475667c0a516
SHA1 9bc9a18af6b26332545f45d69b9dce517da9dc49
SHA256 0eecf442338ebd39fa806075a9bc1a94b33edf8fcd564c0629a066b7210cb644
SHA512 eadb566896c5af52eba22b23a39b79fe740d8237636594c4af505a807a1a48c7651d25741d4e680af80ecea286ebe9944ab5c153688da586ce9a337d0e10b077

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 b7cc01d50cdefb796e4ebee9b9d2e0b7
SHA1 2a4f49199690d46ca48ee61d96d3dc90d883c4cf
SHA256 6a926a0fa2c44fe20e6baf47fac71593a4e70ce8de4fc117897bf99c13c991fd
SHA512 c1fea3bdfcc6d81df9dedade1fb4ac028c37572ea3b86debdddbdc37bedb59f33c306fbf94fb93b0f7b1b09d9dd6d17a7a3b883c0c7b1eb341357a457df320f2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 4ed100d42d072ed90670e2d969f3ac67
SHA1 9c831eb28cbe5c6e308ece19924223a1f62e12ab
SHA256 7a19b6024faac1f53c25417a0b5b4adee2627f6827729e3e83af2ec356e8d3a1
SHA512 e372698ca7dbea9706636b886d2a2b9a69f4b9d7f650d8aee812cc56aa319247fe1c0b3c5f86c499a2dd2cba9bd2074149ddde99b3395cdbf37e08ed21dae6c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 49629f85f735d2943c42db7554e8be33
SHA1 27f80dbd247fb607be667294dc1dcdf1a54fafcc
SHA256 c0a95e16995be4723c8b1bb1ae0ff14fe7761e3f769d27f3031cb1017ca03f60
SHA512 92954e202b33f55584cb6e6196508f1bf1fc649bbbda612de76ceaf1f8bec3381e5452eaacaceb20cca8a433fe160256221dbba9daa92dbc073fbaa845f4377f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 dd37c0f3b9ad1e6247d7a0aa6234b7e6
SHA1 6368c3507247839bef0fbd00ddc69d88da108e97
SHA256 f3d61b74a27a4ac16b90adb547f5cf5f8ca409a77b64b992729d624d65e08037
SHA512 3cb5a6f3e5a502d0adf0c40b4362704b6ba860ee0fd285d42d8a7e4079c152b611e9c462b23158509f423080c7486fc5a958d9a094cc78aab3d11e480ea39dae

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 1c85f241c0854abc2e2b784f5097a4f1
SHA1 c1588983663674c02035ba6b3a3da438936d46e1
SHA256 d954fcd472d467d9af95d14eaee0062996adc869ca9aa6a5edbfc954676cc280
SHA512 b7cf9c7c1665ae42011e6ecca64e881d16c13749c1c92aca427e7436b9c4f04451c90c5c478c4aeda412719748a1a61557eff017851c1721126a2b58ed70d888

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 2d46ceef8b9769bd7044be4285882581
SHA1 aaf997d86c6026ac2a4a02199363fb3b11bd1733
SHA256 691a75771f46db960161a2882b9fbb8d48b80dbd5f0e6cac00832c6d3fe1ef71
SHA512 c0e587899ebbb95b5f992b2db5defda951958536455e4e2b3a5ceb641cf6062138af4dcc9c7b327aa396260ada1b5e9973df217f35ace43803020c7f63af3d4e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 2da815e61b199c0110d497d7fc7eab4c
SHA1 075446403257e82ed3c1cb0a22c7fb8980dce738
SHA256 4a678d4b0acd62173febba1a3f63b4b6927047b658078dd6b6e3ac7cef747193
SHA512 aff1bafec86c42245203ff1f76aff2ae5613cf70f4dbc6250b0cc6c4150564a725c214c01132839189e802e33c12c891b44d2328fe7886345e6b918b550151da

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 3326ee943beb47fd9b08ff0c94e49d1e
SHA1 1ca11dfd8b95cf3408f94cdc7c5f26d99451b32c
SHA256 3dd27a98c9464a642f3c221c2509edfa02b2e751fd9cca564bb0ccd9a0f5f081
SHA512 e15f0e6914c9f32ede713814c625152601ca079437d7bb4f39840b27f5e1552af61368fca1f4f8f66c636191309cc9d547ce1645fe00c3dc24bbbb29e62b3996

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8511d7f1f74a872ad62597452354d615
SHA1 67efaa080d746a983b4ef6fa38dc9bd59c450c64
SHA256 590edc26cf4e848d6ca7934a06c7dfa7b0e783242222a9b963fbd09e13d97e4e
SHA512 ffe52d731b71b42c416ca82ff19da324ef2a10e6bb6fd2f337c32d31b8843c351a5467dcec9d9cb7f5eb6b34e8c832035a82f423a2a410ad7ee3beba599b036b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 9f00c45eafa2b5d4cc39fbd959ea9e5a
SHA1 29e70bf8856a6eb0546b0042171f011d4d47f0bf
SHA256 b2cb11e227b56ecd087899f87f3a427e3c20865b703bd785257b0ded4ad9a926
SHA512 6950686dd55e629f2fdafb38f4927a5cc2ee992aaaffde85263114d2040b3238611a5c057ffde429d98805addab97846349575ba4fe6b89eea81a0ab66b62b83

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 6f30f1e47cc3f26b0ba99c10c56e4a78
SHA1 db069e7263723172933a887b6b8672a672e62ce1
SHA256 c243d1db16c51751c576c76cb237bc4e5d1c6772e2a16aa9590533925dc52ca6
SHA512 dd7b2d7e52cc95b53ba9bd34984d62d58493c9fc6902c62f1a8ffe2b00b37dcd0fc8a17a6c50b20d29ba11f539573ab4fee0a6e0be2ff2552e557109e71056b6

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 c45109696bbaebb7f45076fa9694c816
SHA1 9a32499a8b14cff767a4d9ed4c7583e3a68557d1
SHA256 745207099894e474770085e72dae13f867ab8a8a10e1483c92abf78954ccc736
SHA512 7697a5d02070591c4d1acf05d76fb697a656c6a91110fd209daff5d2a41728fd285bbe37372fa13f14cb3b7a36e6649d2a2cbb2a1671fefa77d6e715d86bafb0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 3e93582d21ac9a3b30b3313ec7014d3a
SHA1 9c40db9c39c95b1e0c3424e0c4011fd5cd5c69ab
SHA256 2d796054867bb07a269aba5c450bb68d6a61d9bcb9358df97288f8783bdbb295
SHA512 89bb1e595ec540581b3be685f37c6b984b6bf2298ab81636b3bfcaede3f9fcac3a50dc270dea38532c68d3797ded195e6ba60d34a648bb743950085177b11194

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 b2da31a2bad2c64dbedb486941c699d4
SHA1 648fa57178c252aeaae0306b14d7f39226860283
SHA256 d87f5c9c83c8f6b9da80dc8f67b07d60c3e1043df27b1a4451789acadf349b7c
SHA512 c9f35fcd2e2384f5a140c99ba0b18c22a67c83447c26d455104bba19c420f344b900e210670479b8447ca574fc5c86bcc9aa092448e1325e3a7ac5a461db1ccb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 49406f42880665b2f43fee2364b2aa96
SHA1 1109ffc04d3e31c635d62486217ea51d7b1c316b
SHA256 6ad19f767f5138f9d66cb55c31d68c7a6b6db26182930f962ca8248d6c75fe23
SHA512 9fece706dfc0b493a0f51e9f27f478209f6ab6053053e78594db8b592c13f627094ea13471146facae5860b4d120fe4cd5f8f4f16d77c44f38d68c1c2fda5122

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ae572f73c4ac981ac3e5553e62d15519
SHA1 d5a788d2e43129559bd39a3272540c4009c55192
SHA256 48b00014a9b10a2ed01bd7a15891902f90472d3359440a4e2e478ee80a98007c
SHA512 84365456b9c8c637cd77e0d7267506e42539d918d812e24f3aba1186105122317035acb2a951b3c197b42a5a780ea4f3c649526a8928649aa75f26c3eab18150

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 f82171501e799afb4356b3d92d2ab170
SHA1 203a95b3cc82da5e18d4da838d5b9d5ebe213cb1
SHA256 6f70a82928f9db4e57bca7f0cbf3b31d1e5a766617230a4007393ef978e1b6d8
SHA512 7362d4f6521944902ab91b1447696590843c4f85d39c8882fca28d21ad2d8f1dda6ce3a9e23ab83888e6c76b208fcb13546bf1f1c3d3bd89adc33bc7e75358ca

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 f500b673d92f8c450b32db3ceff150bd
SHA1 68312bb547cfc3c607993599f9f1522dd64a08ea
SHA256 5765babc1f4e2e92d75e03ed749acd4ddc6d848f8a6b65c522ef26c6a017230c
SHA512 8b63c3ebe280fc965d0d53c52b0d453398aafc29424f45ae372b9dfe3c08f7221444dbf802d6628cf52e54d8abf6fb0cca70aceff8b6e3c3137cc14f1b36d1a4

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 01fbd61f4af7c729be4e24d341f16451
SHA1 3914823461eebb4e544ba06073edc5731010b913
SHA256 1b495aa64e23e58910ce2063b93f6fc2be83dc505a443a7bc5c25d862d32e495
SHA512 4bee76ba5213599c7efe5d5d418cd5b6bc14703c2bafa9c7ed2def0d1c020a839ce880f9af78fbe13a82951a0ac59cc6162c6ad473acd69406acffaa829040be

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 b5c0a820ab30f7f716ce56a2e560ddd9
SHA1 a60828dbce0c89a011a882803ac3a5ec315f7777
SHA256 7238aff5e787f4cf7dc519750e5d0473e0a186d6e82b2b95f28b0b3d6db13e33
SHA512 3f1b1cabbaef1bd5457a6f1838b3643749b145de059954b8f18180fc0cfa415efe1709cc7bd2eab924d14a6fc273322c7b125de5cfbb32931acce4ad857a60c9

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 2f2bd219e7fd5b5395d7e3d9046b0543
SHA1 5ff6ac5d9cc70e2e495171430ff0b8cb10a85503
SHA256 3d57d1da289bf65ccac1628d5597fbeb01aba575dcac730664411e10a0b54d2a
SHA512 9977a208881dcb1cefaa48976ee28bb4c18bf732b0faefcd1f21b26e3f094f82491abbf283690eff51d1e908c469965077bfe0a622ac12e1f17ce758cfcfb7f3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 c5625bbfab25bc48c692d8b4489aabcf
SHA1 d57a2cd9bbb9f00034742705947cf4a3d3f9a96d
SHA256 77527719f4d3ea1b0d8aca47ab16eda1546a13fb4fb83d949de71c20d86c96cd
SHA512 a47d7bd950fc3595a3494b4873a7beb2d805d2d194940edbd85e5e0e0ff747cfd77b8441ad4ea424ed46dddd8da016769b83f286e811b8a7b877ac77a1e863b6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 21259600b858f209ce01e822269a6795
SHA1 0a3a5e624bc73785408486688b96de83be4dd2f8
SHA256 3c09c62aeb9b6bfe80c65f32ec7d954d89f05d5acb6b0f2b1f5e2d6ddc65a426
SHA512 3f2dbb412ce833d9ed34a7400a7381c235894b1107e975eaa5c78508aa81b4cfc13f21131f09c2ccd9430b7b1f95e343b7319c13128f09c1cb799994ba0f9229

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 f4ad0b458c2d5b7bd5c11fcde52f68c6
SHA1 525c9790b8e47e710da43b95eb07aff0d2327241
SHA256 2d08919ef4d06a5a6cb5a683e738e66e8a63578063d213758ccb54368d7c934a
SHA512 f4d4c99544accbe82cc8b72fe1b99f0aa69cd13c60ba34ee442199367f4f0c36c6075ec4592db679448ffc95697eb76075cc5b1c8f5eb6c1e31114b7e604fb73

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d95704ec8781bfbc65e5562b6083d626
SHA1 da3977edbb789c9106c73a4196d9efa18f89c24d
SHA256 9ac7493918156957049299700c22d185aac84c23bf89d13f0723f99f28c357f2
SHA512 d85440332dcfeafa9a2bcdce6be06bfabdfe7ef48119a04742da33062e5b7e4c2e204a44b755abbf8c4f4d15f44b18d801c594df72b484a5f90d4f582234da0f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 e607dece584259b62fb87d8e013a9931
SHA1 57b8f8b8849acd028f52ab179a06ed64e42072db
SHA256 e913623efe8f710ea76804fde81749b2826a87a86f12b3b10014369c298d2f6b
SHA512 306683a05cfe08235422d0cb3b6111932251e707bc8c7fd617cd3b3d087f9d68eaf749e3dbf76a7cdc1163f1a8cb8ccba7c482e159cd077fb2ac61f4a41be009

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 18bacc0aafd16c29b057c6d30cd25dbb
SHA1 0ded27f15ad561de6f6e601f5d6cabd8621fe6dd
SHA256 fb9edfc9566027920ab8e76cacc1c614ec722f950e4d8922d258972e88dabd40
SHA512 a538742e8d700a4847ed84a937352347e996e7a7fac087da5c50f25dc226030bf249f057529284b7f4adb90652afb0c70020974fa47afa87c213e204ef60ae42

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 94c5e7c8733a40c37431062df8c8ea7b
SHA1 33132024aa140eeb9e3d934e0140dd5107b6ef41
SHA256 7ad2d9a5fe14f63c4a069339a762707d70fb590849579a23400ef0f2289511b8
SHA512 aa0032e2eab1f9d15534f3cd2951cddb741b3f001d31cd6e2b88afab1116eab10184b30ebeb3ef9c0d836eed6564eff720a58440095707145be4842567bbb6a0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 acad62eaec55d58f0b7b50d96e5f811e
SHA1 ab5ae7f1954f127e23215c3c945a32534227b8c7
SHA256 e739c4c466cbc41594e89e3355ec42625ace8d8c8f6f7f50df208acada8bc0f1
SHA512 e2d59e8107b339883789a502966c7dc5db17b750538315d4788eb502b43a643d105b3f43097de969115a3de0472251b693643d2135c86dbc13a51230aa084e49

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 aeeb34fd613493378e1065ae9c1eae6a
SHA1 7a8877ebd551cf63ee0fcb0e1bdc18457a912230
SHA256 0000536cb78249e40e56839ee9a2a273f27bb91c42044627827c07a030379d77
SHA512 a5957fcef1c082a3b0796fe3d4b9dbecc2c9b18a12a625ac4f03e1df1ecade3aa94410bec5c762b5d857dbc55e26dd8bc7dea6ed91aa411d5b7adee422ff9ac1

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 5b71d483ff16514f38356c04d4c41a02
SHA1 414595d3d0507c8ab9fbe65cd781e8585ecd7aad
SHA256 de162cf4598a69fc4aa99903f25275c22db7e110e7a2e05fc955480037766fbe
SHA512 86b000765a2134f62d6a1da27c868fc1b4c70da2ff7bbaa78ccc2c5a91d127cd86ad7dfd0abd6bddd0a0c6cb56b558f7cf412feebc57c78a11c86867e7a362e0

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 6b43065974c099daec6c07f4bc52a1b3
SHA1 1aa0d8a98cb60afa13ea00656f40e69b02dab847
SHA256 1736ca231990598f89b6280ec403bee4851d20ac93c2b35822670a3956df1256
SHA512 e63fe5f85d8eda38d56ec07e447cf7a3680c28ec2137acc2eb033c3451c61ed8c7dd68063882c45902c261db32b004fcd47a800291ca757ce391b4265b2f8ae4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 7de34cc756f2214f2efca1fc5a561b78
SHA1 48e27e0f16de018f2845f0f0256d2890ecadbd49
SHA256 f538f76691e5d93ed2c71d2b92b259cac87d8b08d9350c4cb36393b644d44a2e
SHA512 c857ec583181b29dd28299c86eeca271aff330ef3a6032e0036f21bae929867b7d12c3e369b5219d0144af00c1198dececef76cee638d02563b17fea22a09ebc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 51d660359b4cee830a889525583bedfe
SHA1 71fb751010a6945dac01bd9755ab5ac69abbc1c5
SHA256 ef859b5ffcbc46583c683c7db8d957d10697dc9cef365312c9853a2ba3e643ef
SHA512 3f821b91c2278c223562a6d656c1c1737b036dbbfa994ad300aa0be57d6d6a5416751503fdd28e62998c2e8842942a53952951d8f086aa60cd4681f194f9d8dd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 3709c24bd42b9e20c786746ab009d43f
SHA1 37c50b5fb56e7df07c95521fdae4065e85434376
SHA256 d2d7fb5db36a77e665513b014414d853fccb115a00014fa6216dddf10a5eca8a
SHA512 c4e22fcef13b263215fcabb9bc1dc137c174436a79e102332a27076c8842b4445b9400e716157ddbbe7953bd124555a45c394c30dd69ec163a1578e86c3a1a8f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 1654b4a1c9bbcd4743748d10db89b892
SHA1 e75dc519d9b40d5bf9570d72519771fc4cd08d66
SHA256 620c6b064f0c60668ee1f135258d6b0eb70ad75de3688dd36a72118f33f99bf1
SHA512 f7338f1fdcc030d3f99aa236a68006926b6f0e6dc58d81c2d2c285fa46ae4bcf8dcbb44cfaa9665042a2d6a8ac0b65551118c50b3e9b527da119606366decc89

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 e98a376213b917132bf399b4d6f86fb9
SHA1 8c0254a895e0395977ebde0658b1052ed3d89d3c
SHA256 af45312835104f9bfb876ad7598e662566549a4d887aca5fec0556097b881a52
SHA512 89b3ca2b7dc06d787f0af6fef7f9036867adc9a002a44767b33cac1863d88547466675bacf402dc143efea9f87687be7e356238279575ad492b4b2aa44db273b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 8da5b385d17aa5f864c637e6a32a1694
SHA1 1485a214d4014cb67b3890e9a65ec2f959909b9c
SHA256 8971184b7d55487a994c710e411db986b382413a3b43e9011e96406df861cad2
SHA512 1ca77e4c3a19c0c9c030999a9a20c377fe6b11021790f5a26c148bcf2936d4dfeabf94db717af2607a8356267b95f38fdfc7523a1531dabc1af287418d30cc1c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 5ef75324f0157a77e6022cf04be57373
SHA1 b6f89ce1efe47491ad409f9699313807e4473c96
SHA256 47aadc97d5feee4a91f7654b94a28b0b7dbc5f7a09f3951e76fb7ceb31292657
SHA512 3913203bca8c34181a3858155f39a525fa581eec5fc279ed969012d37f4b2fe3368e00d239b54e44d2153a18c605103f373930aec014a07418c5e622e47b0494

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 3ca9f907843bbb049a3ac6850f64c51d
SHA1 a2afd26ae24a307c4b776d9d8e93a2e026f73981
SHA256 a295e8b2f6a4df66fbed8bfec535b50e2c56bfeea0c37bd549af85d1b190ee04
SHA512 6b4e57723119fc8481ee32ee1e050be7182155296d637e0fb2754b427a5f3aa80a7092412bfd4cdb7d31e5b1deda06ceb237e7626a885ec1697104a30b253e01

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 0ff029d81c71fc3d2bada3fdbafe9cb9
SHA1 56fbdf8beeb0ab6f530dfa7d6ca26ed457813938
SHA256 588bbbf51d35afc12cc51e2ac789852a4a47707b83d68082a63fea9db0d06685
SHA512 5ec1b98013c782d69ce55d5d9fc2d14dac6d14715be39b9a151b3b62e2d371385e4c4ba52e356fce2f70170a40f379aff2900acb738acbc89c1cad7c4ea387cb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d461a45e7e43746f336c6ce12d4ce0c3
SHA1 50a626e0afe5122a53e233b4d26ebc0b2518c533
SHA256 1dbd90955386eced143d9dbe12dbc9ada96336dc305e5fade2791181832394a2
SHA512 30bc35238c874d3c06792fd2f55ae9c97da574644cf799888e639dba5a2362ad89e7cad9e0435a9827fe9816bb75d6f8858144f165c459c4841026eb45bf52cb

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 46e5fd25b1fe89c05a47ae07f724567d
SHA1 c89ee0828db0e74a32be90d5a186a2bf9d29c8df
SHA256 e65b6503ded7edb12b85b916c0d10316d69c971b199d9319da7b031e8f61cd5c
SHA512 e7c0e142773838723874b2568c13feebdd2c9482d4f20710b5955502493fcfa8d18a2d80e7660d07c1cbae79dc002410fbf24ac474ad808accfd5d2887b4209f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 f9711d27881f14f0e2a46ec1f4bb33da
SHA1 bdb228ce38f57c66ff8be019212be4c2ebc131b6
SHA256 cb18df5eeaade99ec40ce3eba462b8e431240421711d1173d944fddd85adccc6
SHA512 ab07ace6dd4454f1587dc3623bb86c6fce0b050c3afd2ab1d751a3d6a82fea71a11a22012d9fe292d10ba5156f70e7a9a47392e9b501334842ad28c5f09545e6

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 2fb66dfd338836750c032cf55e3bf2ba
SHA1 cf2d5e94e7c494e67a28257172d0d72c313b055d
SHA256 7c5f1d670fdce46dd09e6278c5d60af568988863e6b1afa607d4831728f6a375
SHA512 e081d3d3f62860aa7b548af75e0275333ca27ee3295604477f80474ef3539e8a2fc26af0124a99ced826b2ae38bad5f2ca3649c20aaa3ad38cc83294ade29baa

memory/2172-426-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2172-1117-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2900-1116-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2900-1519-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2900-1521-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2900-1520-0x0000000000020000-0x0000000000028000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 05:35

Reported

2024-06-08 05:37

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe"

Signatures

Renames multiple (5332) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\lt.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\909ce0101f579b476aa340ee84609580_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe

"_Check For Updates.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2792-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 452aad9d34884c3bb6f937506a6da106
SHA1 38d18b8f9e184c7cfead2b540918df505badd3af
SHA256 f7bab11c2deeaf4c2c8c22ad76a1ab2eaebe0ce2bef16867e2b2c573062b2439
SHA512 15ca280a5ca7773bb0e0195b6580b719eeff75ad39b876cfd37d42d07053703524693396e6e3174c1cdbe551fd578270939b633a6362f1ab1eeba25e4ecc3ec3

C:\Users\Admin\AppData\Local\Temp\_Check For Updates.lnk.exe

MD5 f469b7354490a607b07883db0f43b7c4
SHA1 8bcfd245a5655fe8d836ecc774496b7c6969419b
SHA256 d7f2b6d26f293a5c298f03839fc6f7efa4815807526608cb16ad1cd867892359
SHA512 d121802ecd657227fc67d46d44a336fbcee67e9eaa99a2c7ad9886f4603bcea71918cd99ebc4513def1b86aa2f8210ad7942f4097cd93f87b45144e67f0577aa

memory/5016-14-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe.tmp

MD5 5b6bc0abf08234b66ace3f5028990046
SHA1 2efc1c3611504cf824512b817d2e273219d2f202
SHA256 e0ac5e35d60f7172199656ef961611ae5f6e31f9dd9aa1f9f91e93c24c6d7c9f
SHA512 f8ef1a113daef3f15d356e90360d0c5185904d331593cb40aef0198bd5f0f1c43d0b32027b05a719695f1d90cc727d7d6566b0c4c7e68c238d6a3900d7ac1f09

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

MD5 f96fcfdeecb04e5014a3408b8b4e8112
SHA1 872557df2c788bc420ed5cb33fe7fc8f41470c0e
SHA256 a67250f4abdfecd71400f73be09740fe8c7993c88aee2ad2d8a8eec47d220e74
SHA512 7d6bb75e8f309b4ffabc34c0587ff1a6fbb7d4e9ee79b416b3c6d0d33e1cd07f53fa82625129603ea51dd9d15e129010c1704eae051b82d8d50f819e2b19a85e

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 e318a1c678af9bf35bc29b78b403cbfc
SHA1 37a24d8b2a43d43cb3c19ed100d5c7ceffb3ecca
SHA256 d8c41137e82e41a02e1a794d6350c896e7502c850b4940ba21bd83dd89f2df18
SHA512 0b8a7c0df661ee3910fb3ee3d28e7b408fd5b51454b80a0db1a56ef4be9af07b7f40efe0a5813182a99d986671500da7e2a19c6397f33d4af71181ba56d9a0ee

C:\Program Files\7-Zip\7z.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\7z.exe

MD5 ce38ef4de84ce975a8dd9ccef1d4bd63
SHA1 34bdb652eca6a63829e4eeef22638b4ec4a263f0
SHA256 1ffd58194d33c90ec0a689060c0e3b01d7330b254d0b91e9919fa022b2dbb0bf
SHA512 6e20d8042d9aed8f08e53fb388e159447ed499ef30c23877dd592cb444463c426bf6a3f766945d180660a2fbc8e41c055a4feb3756fe5690bb2add4e33b6156c

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 0bd489f4ab6e1fdaa05c73c5e50dc1b7
SHA1 22d8c891719e9afac59b59d884282712f731bfd4
SHA256 b3307f16d9f088c2bc912e4cfccaddeee1384c9e9299528c8c99e104a5ecde4a
SHA512 2fb63434b0c60498859ff7421983e7a62b7e3de725f113cbc6dd14ffcade2c2a0697ae2dc3686411328937c2fe07d8c80d2d3c16c7c8f5e5ba4cf7c600da023d

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 60349ebb5907420ff0adccfa5a92525c
SHA1 cdd781d01ea04b3e2dc0b1f3a3e26b08b4f61bb3
SHA256 4c71dfad07f485feb6d1abe3d9b2d04ce7e01a72eb19374ac427b9867d55ee15
SHA512 0df20b03dc801521b06fc2d2190a18860c0946af2788915bba9a190ba663245105e298d71887f4c6f196007baa412cdfc80d6502a6b5fff5bcf3edb1dbb5fc4f

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 c8716e1cc9792c691f1cdac77aea8c6a
SHA1 aca3e4292adc1ca3e8f455e966b797ae2363f241
SHA256 4efb3335bc5cc6c32c842aa4f5fc1816b038ea68d98a30839183895f88bf90b0
SHA512 0074e08e1eab816375eca85e5e00767c3d5d3d8a4a46bce9d506272856a8b164b05c0514c9d65439f42697cab3949ad089e6e81d48cd06b6af8f9a4a793b7bc8

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 9c90bb2680ac352c3a5ef652c01b305e
SHA1 ec16008c34b72efdcaebf7662307a83bf5220d5d
SHA256 61ed85e51d7718489765b35785b030fe30ee46c47e60b129376590088d4fb60c
SHA512 80a5713bd6feb3b12ecf28711fcd4dc13ddaaa3cdeb651510887f73f0392084d7154a0d94f4f97f6a7afe912793d69df6f98f74be641abd188337801cede159a

C:\Program Files\7-Zip\descript.ion.tmp

MD5 10b8ede968446014fb8c9ae72b08d92c
SHA1 ed6bd61dc0a9c8dbe6fde9ce74b588ca8a539137
SHA256 ab670aa6512ddeda0fecbcb360b03c8690fcfc5bf46de7d52dc43449369e8781
SHA512 9d4de853b128e29ec0aa5e6ef76ab05fec9ab7d702ab33665cf44f5c6535b5015f8d37c546de64462c4e83960d0b17a29a9a1103816036095db96a0bb40a961b

C:\Program Files\7-Zip\History.txt.tmp

MD5 1dc0e1c47231a2e9fdaf890b7537dd72
SHA1 6f97600fb7b6c9db60c6941855854abe2296a218
SHA256 228143ac9f57847586c5db3b072ef056a016cd5ca90fcf3e6fe891e12a1dc25e
SHA512 069b1a60dea48901479918662b480907c23c3109e5ef9537b732ecce42b84ee9de1d2514f8dd491518e910252b1a58294e3a61b4373218f65993a41058f01cc0

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 af48ef8669f8eabc7b3fb512afaf7a37
SHA1 722d0d4c64a423ebe9601c8efa0d596bbd94739f
SHA256 c5feaf639b3f7d9259b37380e68c5301e85aa78ef3b6732162d7fa8c9bb7cf9c
SHA512 2ca4de6ff51079c35ef65d9d0548b75fc4ffe84433484a1e75d52119389aac479f42167baa1a5ebe75ead08555aa18a9e7a19ee59f561817ac8dece038c56982

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 c0f8218581871a64c157b5c5b119bd48
SHA1 84e2d49741392ba56cbc1af2b4c359fa4f570c74
SHA256 6eb71067282a8cc4f25985262e2efb044cf2a0b3ecbbdca577de1bdcb09efcaf
SHA512 7b30cc5e7243bae3af5661980bbfdf0813f74960e3696a9f3f1eab7d9d5648b24849b79282ac25e7bb231b6e156c009527bee8ab10da6f40dd87fd071327b98b

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 e7b7b1b9303c108a0f71e567be44f849
SHA1 8fa958bdcc86606bf064f8d884c676767b521bda
SHA256 c185eed72e9644d2375c0b8b029bdc40bc432cc2b353e5bde1e4d9502e95163f
SHA512 33053b93e3e9358fc1d1804c2a3e79040eed3648a5e39cbbd893d65b05db314377dee1b9875256503deeeb7f2c7d297c00890e20220b00bd4e0c660c09872b35

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 561ce0aeeb4313b54a33faefae8b570b
SHA1 a7eec1e7324078fd6d0126cd68ac87eecd53d3f0
SHA256 2f1e0cb7b067d73c010171bd4678a26799df4c3365e4fd1ef5df183994126fbf
SHA512 92eb2bf9402fb2de15a84d2a18cf4bf98bab0b7a65b318e81eea495cbd8a89f41d0629fea7e65ea3b9cf2d244d5ac79d3ccf2268fc4ed2c791d6bb638e128551

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 1ca4cf47519380df6d83984cd2fe9083
SHA1 acda1f16ff92553104c86192bd5ccaa853d66697
SHA256 b50847f1c41f968a3dd67bbaae8c21aa9f272ed883f0bf6bae64e459b6b3b4c8
SHA512 1a837cabfc130c8dcd57791ad3cab1a89af700e65d3c2000521f43031885a265ebf526469a8fcf20a5a5abb2a333f02581dd8cffc8d4e5f72e3fa7f1d868d495

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 d7f061a98865f26e188e12adc0fd18fb
SHA1 377567f1b6d330aefd3ae6a938bcfa58327fb8b1
SHA256 54f612d2cefc84c274d58c765108770144c8e7e2423b0d9506eb6b7f9d974b19
SHA512 1ef2d856f5e1ad1c972c0ebaab1263177fa067199c04a67dbd915562f14d56c99e4aa86950800571751cccabfa9a3bcbfee1b6eec507c36910f19ac4a61806ad

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 8fb7b73191f30e9040736649087a8164
SHA1 94d2613a7ea6a7128c08d00b7c93ae775e53013e
SHA256 fccb4156e9eed89f27d1e3c73a44d3889ca5cdb50ee45aef2332f917427bca4e
SHA512 93cbe0feb1b88ec94f2ff9fd3aff686c7aa7155cb3e3359e4646b9eed4d780cf1136f2eefeb0f500a57dd2ee2f69c936ad914015ed31b3d238b7f9c3e61f9b1f

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 12f5e228a09517a07d0b024d639f1a53
SHA1 d62426998eb556e6c8e5df6d6db21c401f3d0b90
SHA256 a5a857636b3b788485de7fb98d9ff5ba2cb128eca5559a701f8c894e5f7a5149
SHA512 3898cc4254846f250b6b09369aaec27dad76baecc02fcf86de152a1d46f8a62555653efa94f2f8c17f5024ce54f8c85b3f78145d84d97ab68ecd599f9cde354b

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 bce79a1656638e87693a1a43ecb01598
SHA1 e5c794ad76f78abfdc64fde4b40fc85c7ba86382
SHA256 d057989ff58c3d65eb675fb647d9c178a34b2e896099bffdee1c9490a0471744
SHA512 48c02ec70a1092978d6bfa1624a0ef3dd26ac6e9c08aedb80f17b539a6a16e9e114c93c8633da019937b26fff5851553a7227751b6308be159c0c1588188448c

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 92602a564e5ee7fa2fa0183a76d079e0
SHA1 75a087364c2912a81b04a3e69eed4be5302e66e5
SHA256 9b90a20679d04ec3ce973a43dd2ea3a54fa0b97c547da58f214018c82debbb59
SHA512 fbba95a3ba803485777a1957efdbc7fce227a4ca39d657021c6fd319ab0fe176391b576272d52ff8b5d0c76c04927fd68e29f25b095b69ff4f1df023746e3157

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 33576dea43843fb4ef20cb2b00680d2a
SHA1 d7bfb26261ce9eb930a1540030ac635b92ad1f6a
SHA256 ea92414e44a440c13b57fd1257e6a3e47c29b2483e5e87c4aab4194c9ef28c90
SHA512 f2624f3220a5a1c8f5a3b398690360316da9a132c1b7c49a2161724276930822c429952e3de82bcfde127c9dd8bd289ad24a40796d509136af8cf81e68175aed

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 c61c44c9edc046a031b50c9a372ddc2b
SHA1 9d944cbf042ab65f2e900f0d6a2bedc38c1702fb
SHA256 eb9683087beb4fbe287e4bcd5f9ebacb5ba293820753db0ef6ce028d0aeaee39
SHA512 e0a0bfbb14ee7264ebe3d72443646f73fa8259507119675007e0370c73458eba8ec06e8e7e652658d1265570080de9bff01737d2427a125b771ea4b5d711bb6a

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 4a138160ee47d8f0472ecc51256e88ed
SHA1 ec3994311fe252c37ee4c1e72aa13256d4cdbd64
SHA256 beddb78ee45c97c97e0f97e703ae7e72e6ecdd56ad2e74658dab8593992ccfb0
SHA512 bffd849e316e9204978302f249ad37778f49d20163ba24aab41ecfe10e7ad1653d8355ed3b26f3460a6f9451dd6a32ace8b3aa2b3277eabc8cdffea4b5ecea68

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 de2128365d3956d37e9f0c7a8128df1f
SHA1 9d1228b879a2db4fe0b0851f0cafdcfddde1a66e
SHA256 f19ba6f4fa4d58960b4993d8f68ba81fed261001ad80128f025a8720b9259668
SHA512 6b5627e7c2b2a333298892ef0ce72759f4c61ddca2aeae08708522b57d05e4dd179324d556dc911f18fb2af472fc6e110d85dc3f3103f794562fe4973ac0aa7b

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 1b192eacc9289f7168830cce973b353c
SHA1 6c15c17c3e95daa32fc4d9ea2787ff3423291773
SHA256 f9f8f9e3558618b24672f9460ff2b77dce507fd4f817dce34170d375b6033bf3
SHA512 5cbe4a03fcd9655fb0059f29b18d91ecb8872c5d580fc41c3208a2c9313ebf86212f6f464c92dc89dd046b2a48b979c39af4ce10ca7f4b146e527d5ec0512228

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 8aa6c13772b64cb29bee50ca753db8b4
SHA1 f6976b63df12c98ac668237a237a3d98d5b2b1d2
SHA256 0870ac0cf9d03ead0d548df48100609f1416e22a42d2e314da57a7e0515d1ca9
SHA512 56b925bc49f967c52430b933df48e82633f4a60a726e66345a8a5e8da3dc7b3cd286d69888a7349d0a31bf5bf1888a3a1a224131b21eb5ab97fdf0e54ddc4346

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 f1b602396866254a6c618c5bc8c2c8d6
SHA1 8f74fb1cff8bc52f6e67c5e8526fde776bdab4c9
SHA256 d6989ce2040a931dc5a446279cabdaa7df738fc3d27a40f8a88f5b496ff48280
SHA512 b2f12d979f7db25cb4c2e0f2e77580b8f62f256c79ff391c9446d74dc68f2764f1212f58a47f9a02322a1eef280e90c042ad5715100943891f5622df62483086

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 cd66b25b5cb2b6118c9cf8296a6cb3cf
SHA1 8802fcbd2291c42b63bf26fdd533f37f1753d40b
SHA256 963c1f71d4387865fee0d07b4c8af663e93618996bfe9ca1cd6fdd067c1908f6
SHA512 77c3fc2cbe5b209594c9357493349d9b595ca1d905c7e2e791258345a19df963a6d171ce854311e464361f7a717d4ebecbcf1f68948ce2668194424907ea2074

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 be92dbbeb710f1490e1b63d7cfc07cf4
SHA1 2ae466e74ff0bd41ee1f32f5ef758c68acac9495
SHA256 03ca788ce7a1f54fa4d29fdd46e2917ff6e0d30d8af6452251e240e3a4428ec0
SHA512 31c6fb64ae3b64b4c1afad09aea9810ebb29c47f4cff69aed9e2c8329f769106b3e9879575d07dc5a0273d46dbc194302d98ba20ea99b69e095b22d15bb8216e

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 f4e3690d832422567c91db909fe9ff4d
SHA1 7eb795ecf171071d8e447d83de8b7a6027aa62b5
SHA256 cc5f3e131e73f77006d94bfbcd00e57525c54fe58038a5e1e6df6c082053b24c
SHA512 dcfd0b82df8475c185e0cbc26b87d68de59d8a5e7a65fee118059c989a03a235e912151bdf487a53446715db4a01d82b14a4034180c317d69609e597baec320e

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 5e54e39b15a4f5c1d7ab45b88a6c70a3
SHA1 16b96041596895615bc2378c2a53fd790af5d897
SHA256 20288c5fda0adfba5bf2d85229a98e6b36d31797011f44cbe124db55a0c373d7
SHA512 e8e76e146330619295a2d9810508320110bf95d200c0b0b22dddf3169e5fbf5a29f6bb12657be76cde7faad43a7df508dfdd0b833fae586ec58bb2d3928836dc

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 97b8e6ffa26acaf94c6b5dc97e86919e
SHA1 7841e3e4d17c90454a5dde871d8fb7991c8bda1a
SHA256 a3a2db6dbdef3514bfd5acb40065bca9d18bf5f3627daa00306d4920e7566f2e
SHA512 aab74bfb364d959def953ee227de8c16e499351f6220c6e50597962f9fe51bd985dfc7c9929c5da9b02e1da3edbeb36aa4c0f266341702ee8d0b793739317eed

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 cb9ebe79bd8fb7517a109dffb0f80879
SHA1 5547f68a4ada3b17fb19684d5586dff0c03658d0
SHA256 42bc84ac8b163f458b835a2aa4cfb1db8775411a7b6c01c7f00f3ab90feba179
SHA512 c4be0cb48a05e5663602535243a971dc793fbcbb6d658d2a8a4633764ed763e8eb5236c734fa7e3f0f7c9779d120b54bce3c485fbcdfa43e65ca20c89e1c897d

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 d0148b7240cb69a58559c7f0d520a172
SHA1 01e6a070a95cc07796a3673904f5e8e1f28b32e1
SHA256 97ceb24f4dd0a507f8fa37ace4db1baaddb9758fd6187613d7910441a383daed
SHA512 b8d21c46fa01aa7a7c33e2429899ab091e14db652460ebe7450428f10ad826084e3c5c031d450bc33d40f59e5743a499e0df2b93cc687db5aaffa8c7cd627a51

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 dbcbcacb83735cf0f6b27e59e4b735da
SHA1 032858cbfd1a64b8cdfad5aac190ba45e33da483
SHA256 ae78e3d2627de8da37faa388f7df5069c92a3d98e7d6df0944c4ea113b59ff08
SHA512 0bbb3bf2691d8172648e36c2478052484cfda549372466273629448b004fd89b7381e0adc44a081a1f81e89d5ed6f7291a6cadc137208271724b5e80bc704a93

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 b44bf2fc6083a7e0a7ef66141f634014
SHA1 acbd4ddd4ffaf9f2bad5d19104fdeed23e008ba8
SHA256 ef4ab2a7fdb7060a950ec6ce8fe21109d3e4ca96182309998ed54b1d6332584d
SHA512 164618a3e1fb73803a6cf37018e383746cfc8d1e97a93a324c057859a91dd922066f9fdc98ef38c2e80d97c85c292b5eea12b224743fb6c320ac550875166c95

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 38a039e3be37181525f3fa9b35de7d6b
SHA1 d39e6f9ad86786dafdf681d1cf53d52c3e0600eb
SHA256 2238c315fc430a1aa397034514d22d07c4e0e0bb6eb5c895a8ecca3d0ca96fcf
SHA512 7338c451fa40e34c45646c0859b8dfcf746960d42ce8c0509b50578a4ef98923c22354a7d2917d62de0956c1daf1804040354681999b659ada3961c3a478168a

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 be3229ba1bb96b0867441343e28d9cb3
SHA1 d1ef3e8328774675c911a46e715e0099f0a0f28b
SHA256 3778e66085940e65555f12eefce4ef8db34ca554d0c0f7d75596f2707f7da730
SHA512 722128f4ed58071b6da2eb3e11db1179b02cbb018870833f5b4b8a8ad016d911d3933e83ebb3f1d5ab5385ceb94ee47e85c3ad3b057b21e647b753c256a65936

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 ffc3ed3a5ef08ec5d284cab6332211d0
SHA1 7e87aad0fd712aaa3a27fc73a608f43c5d7f5ca9
SHA256 34c268a0ed59f21aa35f96a317bbd18a457eff4af26f36713e47a207982f8e89
SHA512 ea888f70db2c3916433d80890390ea92f4cc6c4bf9f5929bf9758c8cbfb99a3f63630277e542473a006deb68cf2dd161d82457aa33cab81e1e890d2591c105c2

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 1c84c68ede586f44548d5c27ee4a5043
SHA1 00136be0d3cdaeeaa53d296ffafeb707c2ae7a21
SHA256 03a89e02022dff9230852f2868945fa7b0c198836d24ada12e159cd1bfa221f3
SHA512 95a97a3d7d6bb520c3ecb71aeec76a83f7d53f5cc74d017a5da114399b0d884fa883fe1c1b49f8c7a174276a2874e3507241f0b56f2134e4b135e5a1f748562d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 bcccf1bc652a5490a7a8c213b25009a3
SHA1 e1e89f19eeecb9940cc73cd4be0b9c0bb029b25a
SHA256 7be6d37275f957be5e02e23e37c6834df70375772cd31471c215092207498943
SHA512 7cfea0a5e84834d3e2c1f87c9a7a6c6329e43d9c54dff76f0230cc3dea10634a76ecd96d42d132df65a268d7f37615fdde9c59dab1185cdd7bc0fe70c83c365a

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 d2b949f27912754e1ac206fcd9837d94
SHA1 52c869533723f1d7fbf663274715d380b04a76dd
SHA256 93a49bb1b2cff14d24967119cd04306ac9cf1189893d7c169855bacf95bd2d2b
SHA512 5003910bd05f479419673cd0b68a015f9f3f3f4123f1670ee6642cb7052195cbfd7b442cd88fa4097efe854cfeebe29131942f095f76b9a5a1b8ddd3947cc1d7

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 81984d7462e7d179696ae75b048d3e08
SHA1 55f9529fa5b0204637d16022e3867ff356193231
SHA256 d4b3ad70f7d24b4b8d50cbeb55e22d8e41f58fd38e940f153acc1aad55e602bd
SHA512 8cca4062eb773cf4e5f04544a8682349bd55f7fb0da7d7f1b7f9bdc014ef4ebf2b1a8a1a33f436838b8a590e267f56776b311d540830a1fcf136dffbd03ad655

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 921ae93a173cb8d24db52f37e7354189
SHA1 ff3991bf7b32bda20be3ae6c2683f218afd56c23
SHA256 d90188f0be54c3ec401421ed1bf9ab15c494b5c7c7b3854eaf508e74b1746a14
SHA512 1f07acef68bf1b48487538f1e2e94f6b9bef366219f24934883880725893e1606c215f16edfc156395f8ef7dc62dbd1dce90ae42746befc0d1a57ce36f58cd2d

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 ff286e2e22539120a92f38b0be24d508
SHA1 e02a3a78c4100507ffe202213fafb895bb53f4e7
SHA256 c6de490e45e951aca853a63b1c3fa22dcbd0c349ad0d1c1bb92139b212f2ad8a
SHA512 9ba3c858f7f5016260d6812afd6aba2c928e3cc2391b8c9fb3261d7a86ccd752fa3ee8ec016569c282fb958e1bd6b1c0acd539c6de417246f96602dfcd1b6bda

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 941c7fcb3aa2ac77a3da89375cef36b5
SHA1 962eb063d000d113a3284d140d73722196fc48a5
SHA256 720faffb388a62969dc89ec732472ea211111baa8083f9da1d590ec2ebb88e81
SHA512 4cd684a142fea33415f912f654951f3d97c14a6bfc91b1c38c77c7ec80c2c4700de19f1fdbeb43f3a4128204e25c0de87d59d6b7ea9852296aa547bc046ce81c

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 6faef1e6ad90092d312e5594a050d6cc
SHA1 4d64d9f7422c81c43e4e6b48915d5743dfed938a
SHA256 75ca5652b80ebc7061470fd7529cef94789eea0813d063c8be797f74687860fb
SHA512 e96507ec08a690ce9a9a669fd3385d0ff7adf0201b36883b79d4b4ca3a964bedcc4550d4f0462c6a09566ea8d558a3e906b8e8bffabf8e145ed4b04686218df1

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 6a7a38714b76a445cbc995c9505a8529
SHA1 e5ec6b560ad8fa5da02a7edefd1adc8283758a30
SHA256 5df401507a2c945b0688f50b503969f366074902e1f8eb3309c08fc21bb0005a
SHA512 66e6274ee9aafc9141f1d28391cc8bd57b5335b4a283b60c6ed299ad31aed347f7be126e133ad4e08ba3166218220af32fd4ae4d7377c7ef75304fa4c47fd411

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 8e297a508339eefbade2eeeff987885f
SHA1 05c97e5f1988b7d75776569d9f590b3d7ed36a85
SHA256 cd35523692d67f8bd68ff0e5f1243c296e134caf3dafd9b601104d42626f3536
SHA512 e24bfae0573f899e6e2acb208a593b90f30db777fed0a8f9a19516a93e6b913cf2f836bf79c40e65b6b3b0aacc1d3d55eabe8ec18204ab0a708750fa31a4a3af

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 00ff69c6fc38a1346efcdf809845cabe
SHA1 407b355ac2aff6e8ccc0e291c65e67b6225d2fed
SHA256 85f72707aa0d20f2813b1415a49e37dc84ede481c2a6d476ca8c061d38a5f7bb
SHA512 b6c6e64ec947ed4e63ebce5c2a78d1b64508d1de8d7ccea847608f83d7b39accb28c4ecfd28b95036e4913607f500db545a09fa93280a4064be5a2a586a4f930

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 b2da31a2bad2c64dbedb486941c699d4
SHA1 648fa57178c252aeaae0306b14d7f39226860283
SHA256 d87f5c9c83c8f6b9da80dc8f67b07d60c3e1043df27b1a4451789acadf349b7c
SHA512 c9f35fcd2e2384f5a140c99ba0b18c22a67c83447c26d455104bba19c420f344b900e210670479b8447ca574fc5c86bcc9aa092448e1325e3a7ac5a461db1ccb

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 a84988bca6936c4e2fb5c3d052d05e02
SHA1 d007117080a3612be799712bbfd6abc4002b09ee
SHA256 df29a1c638a34638d358ab5fd4d780bfaba155830d585efed43a631d548cd3da
SHA512 9da0926fd425a1767cefa93a9547c6653298d443d3ee1f38a8639603f243ce9e510e5f2ddd83189b7655bbf9c92e2e126a9a9283a0c9b9efdc23bfa71a946508

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 3efd31167494b1b93302e29d7e256844
SHA1 7d31dd49315d0e4b03a10103bdc16f5a7b80c490
SHA256 0d3a338b2157855179784a4a10a376b231a1987ed15c1ec74900b8ae8222049c
SHA512 721b53b7f2984402a4eb6d56f54de228375eb7e21a982ec7c3a52f0e786955e9c07f3a8a0082032ac19e9f0ff85adfe769ac0fe75a213826586206932b5f0c55

C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp

MD5 b46dfb373ff69c151519af2dadd94f70
SHA1 5980ff986aa711575e82c89d8e5427db896468d6
SHA256 d18bbb4e0ee0a41b9ffe690334e691b3a3386770c91b9a6cf40d42113e05182c
SHA512 c3c3bad3fe1cd0f8dd14e8f1c154e0850be03b59976e93b872e337cd3f3207f643cdb517dad25ac3d6bbafbe3786d08bda5515b614fd864f39e60d1291e8bbdd