Malware Analysis Report

2025-01-03 08:34

Sample ID 240611-ak8ktsxall
Target 208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe
SHA256 711248037a4d3bf5fcd2cc8b9463c7bb9dd8ff8d2a39e43244b6af3c868d478e
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

711248037a4d3bf5fcd2cc8b9463c7bb9dd8ff8d2a39e43244b6af3c868d478e

Threat Level: Likely malicious

The file 208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5148) files with added filename extension

Renames multiple (3909) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:17

Reported

2024-06-11 00:19

Platform

win7-20231129-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe"

Signatures

Renames multiple (3909) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kiev.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\New_York.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe

"_Remove-Process.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 16c0a5ce3b5d2cdafaeb552f293c1b37
SHA1 ca1d321b3559cf39a9cebfc4cb82441b0a1704bd
SHA256 f068457762607426d6abce8447742b78de30522b67c6e15f0c582d32d8af91a1
SHA512 4e1cd18189e1b1fca675b345d2e3df20390e82f11d2cfed7dd7db246e28a074ad3ab385d833da0d23e36a096ec991f7fd2f6e2b6bd8aa1749d0964905ced8fd3

\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe

MD5 caf7791fef41f6dadd7207d8c62d3948
SHA1 16b5207218def7bfb3ee28fc63470339514b6fd5
SHA256 56d8310c2d2b28b88cda8011c1941d67a391ad53517e256f593f48631b94ddc2
SHA512 1011af8163b205d4360056126655611468c20f115ebdf88f719978e0d46893c44d41b388a5a7f303f359ddf985a70ca56886c8c478aa906e5005f0a386bdf38c

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

MD5 65fbd3268af67bd80d1cdff1ef954fdc
SHA1 48729179e6c01bfefd0b079e6d6ce4a5a9ad3357
SHA256 d9f7cfc29f25ff2595aad458be1155e4de4d8697755a87506b8ed4515fb286fd
SHA512 bfacb5c481c30217f23f795555a99d038774dffd1b12d67a686284d83a406bdf947729cf29db05f5e4191b1f581117c58ae8017da57bf554a7e3bb031515abaa

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp

MD5 2b0f8248a9b9f7b4c3fdb245d119c8c4
SHA1 d5eaef1770824327ab0ff36793f363ebbe3fc6fb
SHA256 d37a05deb632d3527538ead177adc0d31dcb07ea10015bfc23d1846db9f4f768
SHA512 e523ebcf51b09664eca74e5c4deec58e0b2904d1475060fbca7896679162309a385969444c020caf59e1c7d554136a7bd5d1375237c7c75d139ac9037eda7b90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 bc6259e9c1ffa6bcfbb27a6b891580eb
SHA1 9cea60842dfba2d1630f4b7f2d685bff9d1014df
SHA256 85070c168f1e00f4874da56a14d7acc4bee355c940fd70946df3786d49bcaa47
SHA512 e42e6a136bbd652c1dfc316d909d15aa639c90e33b76c697947780ced4cf0a09bf80e475cb751d6576d90418a13136ad201b910cc73da0994eebf559f4cdbc6d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 838a329912cf0e77a04172c29fccfa6e
SHA1 c249c150f9d43704a375efba2efbcb9aa624e1e9
SHA256 edd473ff12e54f915e0a06671787a77ea0d88ba631a6d60d0f4d9ff426dbefe2
SHA512 1110aa774cfb584bdcd714639c758d1b6fbbac1525e1c8b5cdee533237e716486aad7a876f471a67cfd2216b884bb1ce912bddee199b6dc1db5ee665057c6eeb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 e53798fd980fff62a8f93995e0f09083
SHA1 1ee6dcb4bc23372fc22ba7d140d45aae716c1c9a
SHA256 fdbde8e8be0db90cc58d4aa4e5652b29cf49eb620c13f4b4c681c6f17882443d
SHA512 5149fcb84c4799068013ed43df4e9b01ae129f13157ecd34217a9e801e669ddf9fbf867c1b5e74fc6e024cf9d98dab39e3cd23fcf731028f4f9954e5b4d605b0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 953f214b2b293378d84a94b331d87a6a
SHA1 c3db82e69a93477740a1ae95e527314f64a0d339
SHA256 c1218baeda90ba24aea8420d737c421f3bbf439ff9fecb8f155486ec01545d2f
SHA512 9613d7eecf86087a9ca12cb332379cb4496b7a6757af3c7d304dcd173685100e3c9a2ba6da769e938f0dbae4f987e331f8ac2d349c5fc899512f3e5412b86e43

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 8c09b3495ce9ddf470be04a68f8d3ef0
SHA1 5b335066f5c1bd2511c72fa60f0a30574e2b50fc
SHA256 aa42449ce8654ae4d5501dacdc62a7c7a9117a835393befbb04379b14e3fbb41
SHA512 ab899db02924bb6009ef8424f6edb66a4a443b95981b53c23a94f18c1bf4a2c7ca178e79bd992d20d563bf134da7aae8058afab20607c6ba7db37967e4f28a76

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 c8db71f91824a3c853965f6a72549030
SHA1 5e92700af925ea437a0c618da06af476368b549e
SHA256 91220329db0dd113a21f11e2855fbf5fd3748e11f7044ceff6b63eaabd4bec45
SHA512 1677f54ffdeabe6897d4636fa7275ac964a12e90220752440b76b3e8760591820f4d93fc61815a444cbfdeba114915d838c6b049f8bdcaf9cf048e233e89ae41

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 d8d9b73756b11950012e9c5e3fbc5dab
SHA1 9ad4e60830cccebccd6f96e1312a03cf9cf27d30
SHA256 2500f9c567325bb9842d6281a33c760a7b7f69e5795cb38000dfe002dcb359a0
SHA512 adb65b509e434618bb03e1e5dbd417dad463ceac9adf21efc3d143256b50b95b2c768dc970550aa7ed92a98c7e0572df1c1a08668b4f310c70896d37d84dbc77

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 0268f6b2290f88f23154a7ddc29c5cdf
SHA1 65522570ce2c796f082d797ccb46014a3a5541d3
SHA256 2e9987742194107bf33283d311640e63a80f82551022b0f3e6305e85dbaf33d4
SHA512 ab86e855c20dd819d6ebb11e459beddb59f8cd9fac25ec37a0645f7d55dbc202d929c92b3ace5570bf4c802662a50e9e27705a5bf72233594b3675128b59fe44

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 0fda3ba472adfb24e0d13bb593ffe8a1
SHA1 4f5513e1fe14fb723888562114eff2407d93c925
SHA256 49dcbef83576fd1e266e3dfb4e8387c5957a993165c9e7ac60a00a9fcd1117da
SHA512 1792217686f4de11c8f514d8e2c83cb649156036668d27ce213dfae7f1eb92712794cdaf22aa3674c8ff05033fe1a2264a2eb2be516bcb52e59eb9728c0d731d

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 71127d9f9eb8d1667b64c3af1d863bf2
SHA1 ae766f169c65a14e96fedaca4a857370d17e3b84
SHA256 9653c5c9e13ccfeb7243fb38619a088319d2fa8c1c709ed0bd6829a064e87489
SHA512 58c9fa8beacf99d2dfd03d642995b0fe6ccd1c0b819aa056ef934df465bf5231e2b7389f238f0bb96d07fa79a0e600ec2e76cf5a4f32bb1dbb087120d67eb136

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 db875b340005d966a573a3a69858427a
SHA1 7160017b5a47614597533e4298c841791fe5dba1
SHA256 933309d7f29c47daa577d6cf6b2f1a30f3810d6601f386b2c60a3efea8827dc6
SHA512 c528999937ec3685c5e024bdac0fac87b76f08b83da38af901963b7dfa50474ee229faf71edf8b1dc6b47eef4505339711b176d0050a10b279881bffbcf5cb6c

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 4b8649c63bf437abbcfe0866fce540a3
SHA1 465b728184e0ad317c51c4ca34e9e3a4f4bcb0dd
SHA256 179f56156707d7e5371221bcc532253e70d683b5bca59a2e2705ab78a6306ce6
SHA512 c0bc541898a802ad638b506280a2f22ee2baa184063f015086cd13907d643e386d23343bed784bbc81189e8ce8425e08bcaff48ac30e3841df9b4086a67e118b

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 ab224de37ec79f7a3a39b9a2ed8cc3ad
SHA1 2950b761be290c4374421ca97779ae3b406ccd94
SHA256 8f97c38f3e03278f3b13c18247badd0ad4256a0f0ead9a5245fb969715874bcf
SHA512 bffcd9f38ce1757674d43b5bf492fdc15a4643fc0f2e13cd7391e701559cb3656be0e81c315ccb65764b02f1c3112a072c65f4f7f83b407320058347c3cd026a

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 2922c957551157a794b8e358dd16c142
SHA1 e38dac1be39dff3bf0ea482adfb9e1cb1d83e02a
SHA256 4f369a815103014fbfab7f9bcfc8f8535413208b8b57abfbf46486f97a75d6bd
SHA512 fd1b33fd73e458121338a973750c6ac443f9d13f38756533f1a23ecddeb5b14e51829c60fb62874adbc5895497e242c6f1e8a2b927ec7aa7f812cff9e72d3b61

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 3aed9b2ec9af4b225d298479fe737c9b
SHA1 423f1ef738505b1046a6058fdf70af5510288eb8
SHA256 01c047438df56aa17824eb7e09cb628d7fe620147a311cb230ed45d125835050
SHA512 7823e0670876bc48f8fac187f29f70c57965bc5000c1d41928d2e47550a31c3c417f8ffdf801c757b67d3977769c4322ba579fb3e12f868d6deb6b1759d3e0ca

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 c5173dd061103cd91c215fae730d9b88
SHA1 cd3cdefa20258d7aadd02e9dbb8a9cb8a8f72f06
SHA256 e43f2a7625f2fbeabdbab460f2ab51bb23640d26218f4b47b2c6bc2878d84f22
SHA512 6c76db15e0cd2910212fdd200cf5b361242142ece51a5d6609caa01272c83b8a6ca3cfe195d3406736d5352ddcc3b1866cba8307026dec0fc6674d892246da98

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 b70d64abed5a12100dcba4fead027392
SHA1 0db41829607b74bdeff914507fd6c1434f7f8455
SHA256 8273304bbffe3122f8b2b81ec8b93112057f7b0a0ea47684a7c850a9cb119b43
SHA512 cee26943b379eadfa3d00651c8721d4ea0998060377a6fe9ac277c2630e9c4054e97af0071ed498c178751046c49515e3dd6ecacd4e8dcb371e824b45494692a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 e6387f03809ca578e9767dfcf20898ed
SHA1 331fa2c799b70a63dab9d9ff101419d0f4f9f961
SHA256 4e93b77f274a0a7501b2a3a8ed07aa84d9d450de8ad9830e5c2b950f0d99248b
SHA512 be6fbc4d1f43ac6605059ded4de43546adb841f3ac25d09af3c6847f9222029d7dea14f6dec22e2e9accb3d1c2c8f859b614e005f9683aab69d1dbfaa5a1147a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 4da4ff18e2b9df37fbcf302c6dfb7e29
SHA1 f0a95d3d2354807079bd8873984530bca547c3fa
SHA256 02448c75bcad79961de56261fcb2fcb5210224afb13ac3cbbadbfde89c988afe
SHA512 0d6e7fd1cdbd8a1ca5d0689bac8675f6050646c55caa7106849ec45e0f9c77d6d6f5ed66b1ec196611126dc3a3f84d1dbeef50551b77b72ed1bdbb5e01dee4c1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 71bf487fe8e4aa55136a54575fde87b0
SHA1 dc9a23210c1776a68094f4d47d0cc7ceebfbd340
SHA256 4c4425f1aaf748c0b6d97a6cebb7155eea5acf9e6656c09ffff51ec9445bd7b7
SHA512 ff640846bd65a74732e292394f4763f6b16d91f7e4144ee3367df654f8aa00c89d0893e1d9a49652b3a6e42797952017888081963dac4fbd713a796b5df82556

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 92902a86a64c59623a05b1ce4048168a
SHA1 741f62be000bf071b035902f88ecfcd949fc935f
SHA256 81556c4a502e6a2eb58c9df467732c483aec16349714505c3bc8efc553e4fb47
SHA512 2b657d315d09752cd6eded5d758a67f092e6db6634ce06189e9ef9e49e16fb8f4dc515d89b0e5671c310120886ff22aecd348c902511150d839d9a0a09bde12a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 a9d4ba2473c953e594bcbef4bf065ddb
SHA1 88b8831b2c31733ca07d7ad3ccf2c75456652fb7
SHA256 df8793793a9a26f468beabf106b76c0bcf71b69f292ed8922d0ab8e0a50665ff
SHA512 55d50f4434e0e39192efaf05bc30a168aba3c236fe38b7bdfc13258760b70e1f4021bbb06a23046b7c72a66a6ec6faff798fee2ce2ec1e29e21e5a5ad99cf345

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 4c38efb47dd694e2c3a8f856b0aa5753
SHA1 95a1b1e982a5ea860f95f79a9fe023e9c982515f
SHA256 b0676323735fa5ca771bb5467f0e1c2d1fa93a98d88d13a160e1d3b5f8e01891
SHA512 49cfef02e1e54083db7188296371f22dac377fd3356858f38e9a975d42f964b98e64126b63bf9fb5ce0b340303640b520eb3f233069c9f43bc087b0c492211f9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 4a21cac9d9782491b71620dd7bd0870c
SHA1 9826649499ab67232811bc5e4cf39f9d83065ad3
SHA256 e086ba4a2a5dd67aca2f89d5e311a1081a73ad968f362abcdaef3484b2e2e8ed
SHA512 6382743324415b50ba9d5b2bf98ea779a088ca8e5505e2f41b99d0013307c4b7d5963a9f2878a5110860560722df482f9c6417f2d1772ead16fa6d6ebf631a86

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 5684ff4463d58caac60606762800a83d
SHA1 f55155ea0a9d3f3281a0004a5b8549a89284cb17
SHA256 f45c9f134706bbd35fbdd0fca3d16ac8a3fada88593c664c5fe3ead2e01f41b6
SHA512 921a9513829fe23f5c9670e1eaecdb659a86acda28530a23510649ebb969e8351be14dd3a852555d249cd586416ef17bd9e516e8e9f882ad2a5b4a8abe1afc27

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8afd56c7278d72874639b7646bdf09d0
SHA1 28d67f6552c0f07a3e38cd9613a193a263a00d0a
SHA256 f7a976bb3ea6a4cb6ba5208091d107e250b43f3860fa55706764ebb4ecf389e0
SHA512 aa65dc2c01e04d891f39e2280350ba34efd4dd812d374b19ddd8c305ee6d88918f777ec46674b98ed778afe2c7c5178e887566a48aead043d0b643e12ccb2d01

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 7c7c260b6a63280004ef53feaf050fe9
SHA1 71a3720d3ee815b8d45d717ac15035a448bcfbd5
SHA256 43734b4204a27ae7d2919f447d9db6af7f0bc99adfd7eb27b5af78cad5bf9d87
SHA512 b3c7806b88ecf683ee771b07fea67b20fb8f8297de332b05c546e8b39d855c66f6d14b1a33459c36970a1ec53210ebd5cf8eac245886609dca3c46538cfe1a8e

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 6494fcdd37becc4aa661825c9650d483
SHA1 006b7f7c67d8048cc31c27425d116ad0238644d4
SHA256 2f59b1dbd2eba43520d2b8cd70b0a44958517701ac59f525aae750357d872e4f
SHA512 8a604821bdf04dd0f5645627c63994172d582fd2354f8d3bcf10d74481b549499470cad186b2cdc9db3cd18cbe2606bc14eaec3b7bcefcd0b667263d621ba744

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 f8dcbccd94c8bfa58a341eefcf656228
SHA1 19fb7957b261fc55df7168391bc874302a35032a
SHA256 1184e5e6c2606296291b2077e0771e7993e24cbe76f70a58f292faabf3b3e5b5
SHA512 561e0d92f0db7f9d44268d6b603c1b9bb2be5aa1c8ce4414bbfa49bc225551f7ba3cf4cbffb06822aa8e3cd92db5e33b053735ea9a1dd2511eac209818ef3361

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 1e2459667e0d83665d12439a277c3113
SHA1 e51ca550d5a817d9c347af62d922b340d71d6d0e
SHA256 475deef68ce568f666e2f0ff7d1c13aaa5a2f225d6daa5e7ca374729e25f369d
SHA512 5996ead1dd3728b5ac05565c6306a8b9c7a423a2b71ca2462b8b7f6c2373e6f85bbf6ccd0adae62a7386630aa63d541618b69a81e97f3381fef8dcac6dfe1c32

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

MD5 37ffc20b6dff3e1f9d5e55da91cd0d70
SHA1 6fedfb754122abaf84f151d6bc2d7072f71c3bed
SHA256 14944874ab133c75af3b52291b65cecd28cb2eacc74eb65d6c54414fbcf90d9b
SHA512 e14671feaaf2cc862d8cded07de904d536ad2d0ac15e0a8cad2bd8ffe5c13d3d1baad6a9041bbd1d6e50cde59f416e94021ab6ec7f27f0f908a7fea0ff4b1f73

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 2cf30c892f7a9242ea83a2f995261579
SHA1 bc91553d816de3855ee653eb99bc5eb010b2d9e6
SHA256 a8f0f045396e888d663123261a543fecb302428f3acc3ecbf76839e76b8df719
SHA512 793fd627fc8993fc5c27a01cee4262aeca004405b50d2bbbb624a6e1a0028dfb40b276395084ca627e8ede4680d67243b33111942095d48145954a9d01eaea2a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 45c5ddca534c49bddd9f3d7a70e2cc9c
SHA1 1d29ad58482841c34c92ccd063cce4795ffe8cc9
SHA256 2ca63c7d971d16574dd2b7b597dd1af9d0ce48e543f91acc08638edf5896e428
SHA512 2edf58e1692008430ec91bb583745689533885196311e5673120195faa0d6d6085de9fd923591c92f0b1d72fa1e029a391b7c7844eb7d18f6b66344b197b0d85

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0c922656aba704d7c39fa3967acd59fb
SHA1 576fb5b293461ffa27099843924d5b8921f59c58
SHA256 d9406a0706d7151c69794f30c0d6d7d12d6d15d9ec0d97f043228989bc4309dc
SHA512 7ce6ed0b317098538926085ea1441feb6c1aba8f45e53b37651603b6b4757f614ad6efe829cab90efa04a99e6227d836886c66f54bce80c9d91978d4f27ccef1

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 e414a7caffcc35c76a50b059179199e1
SHA1 eb745e36f85a64c94477d9c76f1eb40647dbc271
SHA256 a270116921c994b68559596af945d41d371b1ef79c0bf4a8164739857580ac74
SHA512 79719c7d6d227ccd5800f7e089ceb79ef2d6dd79a57f816c27f207e2e677bbc9b6e5d37b3cb0e6a657a5ad13497002f9632eedb7a47d9bd464a158b4e7336a06

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 345a0970c56553f2b2b09a2008344d13
SHA1 fc75542efa116b75abc4efd15291bf6e624da65e
SHA256 5725b1a5019b9e26b46a1fdc79d5fef634f22a49548ace41470e3028fca42fe2
SHA512 2b72d8ac4e4ca662268b66278e2c8bcf23cd715fb1a11d0e48df4ab55e587cc7eac63c3a66c9b849c550d9141b16189bda0b890abf20f645615468f6452bcf94

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 4e37468a07b423a35bb73630c98b77a8
SHA1 863ea6455a18ca4e233e5e41ce033627672743cb
SHA256 dc6ed01a6e0cf97183dcbeaefbdf4e67ab81204c454f3830863ca69f4264b38d
SHA512 f7fc0e0b7afb616d10bac42c578aa0faf7d53d25ccc1f675bf39583af4caaccbbfb2da176cff2fbd784ff0f1f4be665d187ba1beadb4e12272b7cd00c58c98da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 493f7ab33735e3cbc195390ce59fe95f
SHA1 b6863c839ba4ac0469f364c72103d54ea0f7dce3
SHA256 57251e8e5a939262de60b596ce2d2140b50445e237ab0c3862a14f2d703f0c30
SHA512 07334c645ce4ec129372263be8a2cb55fa46440325ef3e5c9e510967d217f428b9ed96c459ff635f6704e4ff8a2cfc1881b1395d96fa6b28af79f22aac70c67b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 71fd7db23ccd0629daeafbee0ccd8023
SHA1 4730d1a5b1a39dcdcc966d1c6ee0b66d8289d81a
SHA256 264236743df1a11d282a9f0866816d9ee014f1a448ed197391e8e4d4c1f8ac59
SHA512 fee525a597fcd0dae22991d24ea4900206b16669d3d1f6fefce72b66c0c39ea1d8a7e58870bd63b43fd99dcf20746885b179160e96d17bd8209cc81c667f6eca

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 b0bf427b138becf18cc4917564ff73b3
SHA1 86b98382a88498998c23792dc18eaa9ac01519f9
SHA256 f9f6f5e727bdbff693c7a76e244c891b0c9c90434da38f6df34153580fb2f0c3
SHA512 84d793bf1c0382fdf6cf0a713748cafdb7b6c33297a103ed9dd19b8bc90f657ee9fca57a0dac6551eb129b13c95306ea569a5c82cc9eaf1e887419e10d335a8d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 3d39b3100ae4849771d7dcfb547f3451
SHA1 579cf2cc7ee8cc0693630e7d1085a0ce58847f1d
SHA256 0a7044bbced848fce88e035d18e34c1d98678f11e8451fb61d1396b1d00eddbc
SHA512 68e9852b877a9a1389b46b9998bc2860558d997f159792cc01021fa7de362ffa7f87cbfbefd450702971d5b6a28f050a2599423ea24d75c6d392492eb5cd95ea

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 757f01decc37933fbba89f612b79bd2d
SHA1 17b61db380d803324c67a88891d7917d92897940
SHA256 beebcf5781abd86f42414abbac10aeda9c28d358f6ee13f9758d14c3f4df5218
SHA512 c3cb5f4530a2b98866c284095921b58c98c06eade89ebec5b79382d5a4f0668896b6ba04a95a136638b090bb3ea1502a0d4453887f747aca4d0e95844f2c7c28

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 0cc98a3f54acd1d1543eae2904b7dd8e
SHA1 a2636c9f32f8496d7d730086908dc3275de9a487
SHA256 c514c8a189724a8a78e409d16e694b1689b4f7be048214b8e025257c8c959bc1
SHA512 fcae92fc85c0992a1a5481b536042962277f13a220517e25b3f1d72ed8b9f27010bb8ff4a052bf010c09fc4441e16345ca4e2de53ec48ff67a82ba9f71957713

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 257334953aff82d1df41a0a28a7ff149
SHA1 6b15f72d2de2c863e4d2b279264614910dafdef0
SHA256 aefbcd15de8e60eee455a38e77f151189e5dc10b6a7b2a05842d35603cc954ae
SHA512 b66400dfd44554dd714531421d963b060a5238633350cbdb4ff4383aca544d9e8ace7cdcd396277a97e59dc9504d40af3762a6002a2e013b2485f022594de2f4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 34c62a8f8ca347b8eee3013f9d35487d
SHA1 784ea86ba41fd516fd2df764d5066ffc1c05a314
SHA256 0403980e7797f3ad690da48cd0b7ebe96f18dd7b0aa61eab31073d873b9553c0
SHA512 d3ddf66977fc8eb06caf9a44fc35621dc369a7e07d8449581dadd895058677f740c93150b90dea1be9514d36f0bb926b41316621f3feb2d1561e3eeb17412e8f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 8dee3393e88448f8574033c91563f5af
SHA1 0849a0ba75a5e4ad9b55ab3617f097afaf65c09e
SHA256 0afa0a650c145e5938db73f009b45be5e106cecbada1b805698d0dcdc933a304
SHA512 b07c9ebe5b690ac172019431d57d1011031897a50bf4f5c69b1d35d68a04a6f5f566094e4018a8f04c73d334d535e11a5a227d520afd394520bfdea04feaf7f9

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 f60d39e172f748eb1e2a056d0a798f15
SHA1 a4f53299f9c307e02b27ff7205c00d75f4dce44d
SHA256 1b211683b78b7a605559ac485b5b8419365db3c89e34ee7294f5c8310a6ba122
SHA512 81ef761e0dc05f417203a035eb131feb96a8e3ff016d1c09cecbae4154e621941891aa9d74dd06f484ee6449ebd09308d5e7c93b541a516a0211d3e2923d2c23

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 0e9a41926fb2fcffc24e54e4d183adb9
SHA1 e4fa7bce939710316e0130aabc9dc6cc9740620f
SHA256 28e793e7963b8aab2024383339d9bf818e07e67ee4b188ea3395be8786278574
SHA512 485b57fc5a5557abb63fd50b07cddd3c9d0091046a5d6390e211bf181719193bcb0b0ad841074236fae5a4525a734aac58fd237c0718aa75f6764685d5ac36c6

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 d1d59c09fdf5fd7c9a5048b0f57820b7
SHA1 ea622a7e23542979471b404776d8b2c95c0fc70a
SHA256 61c295bf69874f233ab3535234f007795253a03f2b173ec149045fb451946817
SHA512 f092cbe7a8d00352802b7b1d11dc7a5c0e19baf460cc3842e73df477d2b7c9331cdc211c665f0175519d51fe66841dd9e13ce2bf67d11ecae9b53a3691fe3dda

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:17

Reported

2024-06-11 00:19

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe"

Signatures

Renames multiple (5148) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\208c98398f4442899d0e8cbf390ccf70_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe

"_Remove-Process.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_Remove-Process.ps1.exe

MD5 caf7791fef41f6dadd7207d8c62d3948
SHA1 16b5207218def7bfb3ee28fc63470339514b6fd5
SHA256 56d8310c2d2b28b88cda8011c1941d67a391ad53517e256f593f48631b94ddc2
SHA512 1011af8163b205d4360056126655611468c20f115ebdf88f719978e0d46893c44d41b388a5a7f303f359ddf985a70ca56886c8c478aa906e5005f0a386bdf38c

C:\Windows\SysWOW64\Zombie.exe

MD5 16c0a5ce3b5d2cdafaeb552f293c1b37
SHA1 ca1d321b3559cf39a9cebfc4cb82441b0a1704bd
SHA256 f068457762607426d6abce8447742b78de30522b67c6e15f0c582d32d8af91a1
SHA512 4e1cd18189e1b1fca675b345d2e3df20390e82f11d2cfed7dd7db246e28a074ad3ab385d833da0d23e36a096ec991f7fd2f6e2b6bd8aa1749d0964905ced8fd3

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

MD5 f0ad119473eda9149f84682f607f237b
SHA1 d4fcbcb8e5d488f2667c8fece137851d9ec2672a
SHA256 ba8e5f3d6116732cea5a780ee5e7b6a3aa44ad37d70b101eec7996a3a83fe5d5
SHA512 cb5bcdb37452d23e5cb0d75fe6c6ef54ac9280f716fc16088f5adbfd5264664bb3d230f4ae59149c7e783f7a0c13398c45e083526f70da7be9ad07695def9084

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe.tmp

MD5 05d72d66ec114fd3b6e9ec9f57592080
SHA1 64b2c1fae8b4e7927fe537b3683d901905cfc078
SHA256 664b8dce007cb367545ba918ecbcba490a00397cf23dc10cd8fd018b39c9a014
SHA512 3da58c8a03bf2ea5b71cbc8848adf8047db6d5b9561ed4b6a5f1f0874cab38120710be48ba04dc5d272c4da2b9d6c78e0d184f9feaf6a9978049e48208c019fa

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 df980c68f45241d69e4bce2c9baf5338
SHA1 528703d528155b8fdf36379ecdbbf4e51afd65f0
SHA256 1d719e95f04394c461bb27c94004e986d32cfe61398bc72ba5890dfb5c6d9574
SHA512 7c36ef5826b7a57078abfb573642d171891ee450f03848fed69763baf78876a6a894c62b52ba81b6e283c9fb9a3532325ba1450f4292528bc51d63f2ac921c39

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 574a1e20808aed40eb96bbdb1b19f968
SHA1 19703422804e565d403a684a261d2a4dbd46b6ca
SHA256 edf293a21f1b5f3671c063124c5b17e9327ea8fe286bbdd2a19d3327a8883d0b
SHA512 eeb18548f4762fca2d0929bbdcd2bdf42b5355e3fdb7df42e04c211f592d118e6ec70050d91d604ab90348fe0a56e29d701d4601e6d2fa3d7b35b820417fba2a

C:\Program Files\7-Zip\7z.dll.tmp

MD5 244f06cb978f4243cb01aafab774e0fb
SHA1 6b51ed53c2235f00a86ec0e768cf9b64f016bf34
SHA256 5466cabb55d78cfae70189dc37126a96f7a56741bec3efee988b8ba54404df91
SHA512 8f1416c4e8338b39d6b72ba703c17bade293240c0e199c33602722b4425c2e5272a380753c69e2b095a58beaa17c814561976147ee3786b23a428dfed3f24604

C:\Program Files\7-Zip\7z.exe.tmp

MD5 bdbe80fb3ff4d543fc70c3a80f2945b2
SHA1 e5f84b35425220c2e802314fc99bdf37b84bb179
SHA256 8815137c89cfd7435488aa367c7cc5ed09647f2711a99f1bf8dd5f7eddd93db7
SHA512 40594f02de0ac20ea6275ebdbf929c52623067ca8fcaa9d7d7ea3fab4415c7c08566e94348bf1f338265ecc51eb09d433224d26dc74b2f13a06e44821b6331cf

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 786ec5b3c5b01651ff299ca796fd089f
SHA1 ef6095b5f83c1b6ec3d39481921f9f22a94e3e16
SHA256 478caa7290747c202a7fe19f75f17f97fb260dcdb6717a437587aaa42ce981bc
SHA512 88351f1c77da05b88a15e3c236228a9115714bc81b2cabfd88851161b067b9d3e42209fc650e48255f4eccedf7917d78004a78829c2a45d48eaa941330fecd8e

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 5eeeb1da48528cac9004304e8f887c7c
SHA1 4769a670e7ce4635fccae97e0a3b61aa13c4bef0
SHA256 d82b5fdee1877185d0715bb6906e71ffa5492e1b008c63ddc335bdab54a87b56
SHA512 7da75fd339c10505f4e5cb081094ca64a81d57a294fe0e4f1c24727c0f55c8155a05a6feff6434e8e03e064471f90011b4af23e05c486a2179d7fef5cb96cd58

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 6f397ea32519c3973e43dc8dd803fe31
SHA1 40fe9d458b8896aaa53ec93ad0dc1c4f566ab336
SHA256 5d3a6ee869cc003f441548bc4b72123d0ee4aaaba918b8f48fd5bfa2e008b290
SHA512 055a5b75dc77c4eeba71202c47be2826825580b2ef2411a1b719a0ce6d3e49c24f648205c2d56e126cd42aa9ad6a79ef684db27f6e2989ddcb0c03c6a15585b7

C:\Program Files\7-Zip\History.txt.tmp

MD5 c6d4aedb334a717d687f69cec87c504d
SHA1 d904db47d52e8dd2421d60ca1fd1b29ceda4048b
SHA256 24648b96ef6eb13281deeaddcfd85c90659a35b1eaa60c1c659cecb10ed83b74
SHA512 3df10a0dca6d4abe522cb071c566c427d48b3992a644f52d5ef9876c02a92c7202a7aa0073c484419d3e2ad4a034634eabed80431ef6e4ba980866fe2ea2471c

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 4c8693c0062eb579e18dee1b5d559f40
SHA1 6b6b26adec70058cf1d4504d9ae48d3601073431
SHA256 239ace00fcc08f95f542cb1d40e121dc06566edcf8b040a5d469d29a00d744a9
SHA512 b33daece5beaedc1e36c567a4c931f38f1ca215eb4adc7ab3237c8c5597bbed81f3407880c1d1d60c57e0d12482b750cb3c5cf5b8daa31c2cd0edec59763970c

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 7c5e30a301ceb79079ef5f5a2f263299
SHA1 1a1952f072518d1f6c3d7a88f9d106b3bc03901c
SHA256 a0a65aaa6c5402582927efc1e8efe2258f9f3878447d8da99f61becad5f04936
SHA512 f326b5229a56225a2b984b9778fbc6b168f33e75f1665405941be6b0022787dc76a08bf5a6bd52dd70571c52948c996e06ada68e7880d4e90fbc61a5a38a0542

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 f710849095b830de009a2d52b308df5c
SHA1 94c2a823c091be75296281cb40195bf62c9db98e
SHA256 8f865187bcc3ef09314f029be6dd02fdc31735c7f9b4315d0e8b380b871bf3d7
SHA512 7f2dc5aba4a4a1a074a2162c351fece5e2b65b682b3d0ae82b816407484a45367fda0112760da337b7414fffe7ee85f79175051bdf927bcb9376d1a147d3d12b

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 7f61d5ea738f112181502ff1b15b777e
SHA1 b7d96ecc6fd9cc402dd6c4d90a0808c92e19c7d4
SHA256 164e9eadf84ee606753004aabd4d5a9faabacd9b59fe88121287c68352fec760
SHA512 768516e8e77bde189bdffd971223cb33f6dd0ef41a9f0a8c17606f37b0dc188e683b388cb6d62ca783049bd32571fe2a6062c65d1c9eaee329389d21b6a8cdeb

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 3886f252c79602488df49dab326545fc
SHA1 a45a87a19b8c95a745743dab844cd293d303a854
SHA256 83e61a6fe41c5659f4243329305dc23e077f31ecfeb8fa1b42e3e537933420b0
SHA512 f6f1c641fd53a289015a2a5d0a54319bd333553ecb8f0c525d1a65cfa5e2e2a23252c56678c78bdff175413d16a95d507b5b595a48ac5b92413711a88e69c957

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 fa25e96291fd051538332673ca37253a
SHA1 4d556d6f33e9b69882c7b16c032f5c31155db2aa
SHA256 4cd4fbb0cadf4c7757348f1f83a31af0fba5c40b9dbd40539368513c44f992f4
SHA512 50244c49792dcc007ebac9ae20bc1d4c494b73a644bd0467946464027952dc02844e95b7e829a06c617b94a1bcc11ab9d3d7759b73877c072c2acf4feaa80366

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 451588f31b0bd8eb1f3a654bf0e29ea3
SHA1 22702fe0d6e8179103dbaa9e66e895b53c994d59
SHA256 83d5d2e906827c5cad33e5b8ed75b8819bfa3f805da8ce3c76955f6381265c2b
SHA512 fed080751e6881ed00c2271c751a4f5189ad76deaf17a0a2b83ff72309c4e5b1611c7fb8df8b9328cab91d30ee73a57d02923213ec44ca8be1257268703e894d

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 19c4c929b6d9108d256b18ef47baf4c8
SHA1 b184345c21cc9890c7e0f7e930aa53f9bc234469
SHA256 4768027a400ca4b21161fafddd7199fe642d61e5c519437ba81aa7656ed684c9
SHA512 2a7ba0195ffa62e248959652b3612c018c735b2ebc37a6e08563da35eda37b9472faa618efb464848310d166d72949cc1530939a3aaa03c5d770f77d56b7523c

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 f11554d4ec44d627aa3ae6b4329acd30
SHA1 3da173b9718d6304eb09691808525498d5fa6a63
SHA256 f0305219ebfc64f3288478f95421c111e9b20e141a9a0a12ed9d1ef0bb472ec7
SHA512 6603995e498d6eac2483c5a2c37e05a1954c52a6c88498aa969dc0aecd4bd9151021eb88afbe4cc2dd3a63371a2ad78f10af7cbd0abb2913fabe5386bd635e5b

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 6e41fc1e07937265b6259c8810a0c496
SHA1 f5bbea4e78ca658102c2cde9368b9a18888ab918
SHA256 5fe61dd8d513a64cd5fcd3050fe079f4b3921a33f5cde5bce0ce935c72d45e6c
SHA512 cab04f34a30bbc1ee619c79b09fcc75d0c20f95c97121aefc5aa6f42345d318cdff36905e17d7d3c9f8c4996f40b05449b2d45f487f02d7058cd57ff0eb6d903

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 da8f468c64bff4080de5dcb342167e8f
SHA1 28092d5884ddfb720970f22f5d3e06650004d55a
SHA256 a8cf6372fa4fb035d32664d287f524d260d7651eeff00bc52e51639a738c7271
SHA512 efddd14e9382d23a7679ce88d20fd7a101b206fd9c7fe4acb2cbd9c7a1dd3fed6c20994d9f398d1aee64670e45b2d95125350f4b366bec0fb5ae76c423fe0d0b

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 8e96f6ed74f15d3373ac3a9ca97be01e
SHA1 0122ec63a1b8c429007e06f9e6fc9559a4c798b4
SHA256 125c4361e394a896cab3cafc31f378a8f19c9cc400f0c96c771d5a64f02d6e0d
SHA512 ccc698bdaf57a583a79e8202e71f38ba9a59baeb0d07b968607f12365ca5f2d742853b85d9d0d68c084302818acf2ee16b94635e78df32f7326ab2b19d58743d

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 37eb12cf816fae621234596d4f3acf84
SHA1 3bda7c60c47100aa5ad310205a53a15e866a3dea
SHA256 910a4b45c8a83f17439ade6b9db9698edadfc23eeb094061b69bf714290d53e5
SHA512 f5da13d08d462664c8c13b19425d774b991c77e8e379f4b6c4d68a71d84fc92b459e34002ced1e319ea59da533a3e8c6329cc80094f813c64d71552185d0ea05

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 1f3c89be6182c792ddcbd0f22cfabd1f
SHA1 94ac8440a2c77f6720f7617f1a1fa87639e4baf6
SHA256 af5ea289576dc57db649025d330fb54e95f4cadfff8c37d70de60e2697d8fded
SHA512 1aff61cf9478d4a844d63344079685098e609613099d6f905971ebdd85cb6f1729e70044c55cfa268a015cc952d804fe111956831065c56d11ecb8f7b8d2a730

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 df92fe36f1fae29189e8cdfc7b1b70f4
SHA1 13de568b2878ddf634bf7cb7eb81df5e8febc308
SHA256 b94bc3e095b32f5ead06723521249554a16a795b56bf0784c5fd252ba7569991
SHA512 ad1663b57bfaff235a688df8119058e10a366dc95257c10b5d5f42fa1e122c19d304856fc151ce7b4a19638476b05a84d5ea379ad0e9184768b80d136f651351

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 f8bf2c33300ed9b70000e14b74b55fce
SHA1 43f16c16ac92266ecfa598e9f70cfb6f7b9fc313
SHA256 a792d39965df0035149ecefe0ffaee04d9a89258dbab280faf23e2ece3b23a79
SHA512 4ba99e5bb057b7e507bf46020783f25a9b06c7f3578de9da3169e9e46c8105a3afe73351d920addac25f742d11f4450333dfef0a4e576488798210c011fc7767

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 f82bc475121d73035d910a6ebe16c35a
SHA1 c24158dfdf55e082ae3f8e7d595787e03e779eb1
SHA256 2fbb8ad321f7ffb22591f527ecfb740f4f42e4a11a25e1c38a984d4e6b8643ac
SHA512 e09bf7292c851796059f664e2698a2307e037f111cfb22b854fe7942994ec186eae531083a4c170df52f414ee20ff79b924c4a49a855a52fbe783498b480ef64

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 eca0bc3fda5ab5a8a230607fc96ff2cb
SHA1 355572f7ca9174e1676b2e43039341c94613171f
SHA256 0193cf52d10f95675d8d52351c0a99368bc5a1535df00d3df8f1418d71594a8a
SHA512 200089ad2a684b9aa268e1d54589e9d4effca0e659190ac234a5b61cf82813397ce666ffd2a9531b1c0d3449ac39fa5828799d75f88427518213e6c9b5fe714d

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 36880da17ee0919c29afa502d15497b6
SHA1 6bd3e23171799a039e1ec040e66c0a994e3a396f
SHA256 c10abdcc83edde644580cdde2cd78b50deaed6bb0e3a20658015ab3fb12359ca
SHA512 218b80e26a37485d9d7e18596b55ded75aaeda0c40d740bbd9a0ff3978d81c435253ac807ebc684082760a5b3e13a561db113d4c9c2e12ae84e9327a1e482340

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 431228c7c13b90e50bad806bd2ea674f
SHA1 6fbb5cc1f7a18950117161ac72cca089d01e0a51
SHA256 82d3b1708bac478b3091f92d5fff69215952a10eb7d153339ea680d87731c6e3
SHA512 6996bc5284d25ee663a4e18591983d846d6c179d34ec7f308d4fcc9365f19623caca73820cd594083d7fcc44b2603de492ca190b20341f3f9819bcbaee3eda0e

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 fc3e35ce92259869f42259800924a6ee
SHA1 0ce70d52a50e27c4e163916bd9eee28d7e40f82f
SHA256 75a4b6776207b7cbf3f8963768431ebd65ace96e9f1e6f8a7db641dd3f446b88
SHA512 6f914c3138c5c1e81d94dac36304be0c4f5b05e9ec93dee09dc4b21d4c64f9ac614295ce537c514d5fc48b8c22b26928bf35c52b5297bb3679bb39b0159bfc2f

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 0e410baa2e33e5fb30097e02e754afc5
SHA1 0cad1a82e2dfa759549244bf8505d47169df8abb
SHA256 f31c9d85a1d1ade8f2dd358ea58625ef680823e03337bb0fe8a83292977ba4d7
SHA512 82a7160faec281bbab22089d17e546ff8a526fbf4281da7773d2323b20aae003a787100104233aa185247c55bf009a2c7a2809fd0b72fffd3c1c3ebd60b5f28a

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 19189d6d078e10f5f819901d545205b7
SHA1 98cbfc645cb68581fafbf51c9a5a2b454c80f28d
SHA256 55a207fba6d595fbeea03cf21b9b25b2d8cbf3d3938944b6d461e6fcff712b06
SHA512 b1813f897d29ac1094805fba44ccced60fd236f35ed947c4a4e707df6870cb25a9f5ad8662d60aed5d75e1a57e0cf91c956ae4bb4e212ac46c1541098efa9750

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 0cae9b95001ce7a22597748e040d49da
SHA1 30c403fee9478a91863a40704263408547f1642b
SHA256 1cd1b484b5a199da58c91be51c312bb96fa8bd6c69895945eff0d46e12626a5e
SHA512 d784c3aa0f89349880f7295ec4e4f152abd1ef572c4494e1a9b81cd72efd374078a96e9b8f58a4569a3854551d2da51adfbb2ed3a8d49377fc8ff38e2ed84783

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 cf64e092900dd8ef5980dc6316a60a05
SHA1 c198da806f0b1fcaed3a250cdb116cd7360cc4db
SHA256 9b5660c80cea962f99f5d96c99d3ca6df62658d2fae39f9f113cd2a3023e0253
SHA512 ccfa8c3260795d36b6bcf69adba24592e5c941c04e6b1139660112be42e4c6b8c47fdeb9ac476ab0ef93a30ae462e2bbb3d3f3bbce3bb3da8eaa10b7dc552144

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 dd3e6a5a70d06b8c062627f2592b73d0
SHA1 183ff8af40ba60dd7e21f999163ef288d44f41ea
SHA256 58760e72c6c632a2e07ae91534b7b8b762027fd564a12b367e8d0c82fe527b37
SHA512 e2f508e00e5bd27b3dd8c0c77766dccc279fbe73c6884ee4d7505a10c9a204423cef0afd6d2ca1cf53cbe9c569e50a1564f09bba71d3c852d9ab17cf4241b8f9

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 fd2357598e7d9f4837ef58721d9750e8
SHA1 0507ad506267731e6dedb296f86cb93f4d7af3c1
SHA256 d411c0a69730664341331c349bdeb8f523cbcd9a1ac170dade7afdf19a8ae7b3
SHA512 9f72905c9811640ccae120a90194f26282056e79e4fab5a4b7bf6d56b976f12056532fadf2e6f7d95d78496ecb62ca0ba73140cc2fef7f7f93c2bfb99872898c

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 9f110d4b21a6d8b83463977158b8d968
SHA1 d9316a69abf15a8729625bbfb8ba7ba05993fa8c
SHA256 a99cd0ac142d83f93c865f490ec368eb799b72754e76738f79c2452158b59df3
SHA512 a4b9cea3e8d7d56cc9de2a46da9e9f13dcaa42948db24423a1dd0c9ce291ba9308bb4d228769b01e5c4fc0b683f17b0b540b5c05da2fef9d36b751833ae0aad6

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 71017f5f74642361934e0e096dc3655c
SHA1 a83ab41c8ef28484fac154b9963fb45e36021731
SHA256 115b68a029585b8425a762c187078f75cafc6104cad24373f16734066280deef
SHA512 df2378dcd60f6f058acd5e17cb620dc17701b17d9ebe296f02bfa19904135bfc127a809af2c6f827efcfb4a97a92ef3f2cac2f54ab3cbd6f0f7fdd89ff66bff3

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 7d75b2196684032f2121ac1fdcc88edd
SHA1 590f5265e228b36d53a808e8bd88bd8a43db5e1f
SHA256 fdf663266ce8b4600cbb4cfeb7993ca90c76060a95693e633cc7c3320b4ca100
SHA512 a43c3e80c505bde9383e244439274dff876cbc0ff97fd7d25c34ab0644b5e5ca3ec7ff4c0aaf5bfecf90cf4941fd1d9b91d9eb2f4b81d002050cb043fbff1a53

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 155677de5b3366d86398fcad582156c7
SHA1 704511f264c94b0e4910b0d1234d02061d6646ad
SHA256 7da9ea780dc1b1ac53b5a25d3c65d6015a78dd6169f4e0c661290539a3c0b7c4
SHA512 64589a160a4a4fb26788e556af443c2b91d8aff4d179447dd4523e97c41909eedcca94c15d39c8a562fc35d2065f2c47ae733136c58ee6803b333f2943a54184

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 25a1e877ffb7dc1b69065a2416213077
SHA1 f6ffeb27e7b0994553a26e226d9c2c998d49529e
SHA256 d75aec329c6d17ef6d2b7aae93bbea593077f13237047708d33904404155f989
SHA512 6f94440e2af7f7f19903ea3e573a4f41ec4130543a7c19826da29dc4ff18b2286bc4d6d4ae493f404decf9ac7cc37fc437788e2b0699e25950d7148809d782c1

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 cf1d42cedf43936612126346b735d37f
SHA1 a21081a165d7c040af8410717d23ccc7d795965c
SHA256 900794f5ae23f9f1ad38e4489b358cdb5ab0409b8b5b5d7c926ac54240dcd72b
SHA512 44d96b8211bf556d5c91d8b9730fb2114c4cc66d980454d3f3cccfdd46b663fe417cfc2654a72f0fe0025eb1ee8762b20c5f4044a2b3b71562c154b777c58a08

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 2707d93f8dc5d8253fe1ffdd27f4f5b9
SHA1 68619c883255cfeacd614fb50edde3a4103b585c
SHA256 7160c2d6f68d03a2d6c7a874e59a0676d378fc4221f7e7bdeba10f5639877a7f
SHA512 1e04425bea6f432707ba0ab0f9d07461b2564306e1f4886ce085a4a608216b0767578688d580d0340a7fca553c1ccd928f93c3edd34c37f712fd9812043bc765

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 b1777b83fe15f37988d502bd7cb38c53
SHA1 a7ea8954d30c51bd3d1a585146c6d0ea14225367
SHA256 ff1c980634c7ad016a4e5172230928eb559c6b7e098a2c6f74e5966a49739b6d
SHA512 6cab0cf25fa9fd7e8dcd6a357111292a9fc758b898c99528f1f085b456cca359e9225e65854553df45399faf7f2a59b7c060e94a30fca8fd9dfe7aedb03e56ae

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 bb67248f670bf57a9ab41de13e1d53f5
SHA1 81f445e2b3cc8f2e50c25ebaa38330ebba37acd7
SHA256 48fdc1814dd9f5335c8b1ef53e508592be074ab6029adc8905ed0f5901943f76
SHA512 ada39d23f9497a95dc187ceea3471ef98c801940feebd38dcd1c6d4ede0d2e6a2148adc30ec1452872e7ec3c9e46e8a63dd7b6031ca810a8bed5643d55f2e26c

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 b5d849c66c6ec9a6b9b118ed8d28d48b
SHA1 b28850f1ac7727daa5adb76c7639de120b98ecda
SHA256 a72a5c81a12470cbafdfecd71e95865eb915cc4378b6c9035fbefd9c3dc56bb1
SHA512 f51954894dd1cddd22ed91c4c855a29774bd5bedfe579010411efe91dcfb03e45e517bd0d305d780936fafb6fcff316aed60b05ded0f2e058a47351d774f3c3a

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 6de133f1c3480687968891f2ca36aaaa
SHA1 24a65fff50a3247de7677d25d63d94bd89e88a4d
SHA256 bf36384cf9abd5e72ae2ab8fdedf200c260b14dc8d702040a902b092cc06d41e
SHA512 1b0f2adaf92436b9c5afe7763095987c4e03ec24005c2a8a7a10497fc754feb20d15b653fa2e5f6a374923616d643e4a655ab9c2ecbdb26064fa99dac92503f1

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 f311f4f46540337b34eb514e3aaf71ab
SHA1 3bcdfccbea95bc55e231e565e099b8b0097f0ada
SHA256 7915b0ca0726747984163fa16bc1cd9a328ebc0aaf73a2147bf6459cd01dac28
SHA512 bdb0ac8dc5ba0100be4f724e515bb677bc34fe710c1f6488c3fa8e893c5f5e00e45994776f419be0c57e92dc0fe145db538d5427b922f20cb4810d12a9209c5d

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 794ed1c2bfbb61c1573f261959ac3cd3
SHA1 477907d58141762c5ab87e9932e9e3a855015c16
SHA256 00ae0db499bb8c7b2d99719d3fa2f83f23bef80117992c592d2dd468ec39b809
SHA512 af1726562e288f80e612d876dfc9986554d84e548546a2fd750dbed34b69d1783ab89537df2f6c0132a9c721f6e6addf3c2c7daa591725ca69c428a0aa8be9c8

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 0f9e176f4aa05835d63aae683e730268
SHA1 740180f4f2317f983e2dbbbbd1f4ed599ceb7229
SHA256 496c50304ad6e9eb9ace906f12422afe828073b9e7f92f786f1c6f743ff97dd4
SHA512 98fded5c01d03e1fbcf492a4c7a9f7ecbc97a936b61ba89246a75ac9f08b555b5e6fdb9bbe4b160e87b665fd197246a0c9d4510b53c5496ad4f5d9e1eb9d8dd6

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 10667ec93ae12885256cdec60a947827
SHA1 d4e3e8ab31e2eed58f993ce96063ab4e17b9f8aa
SHA256 25d84b03545f2e6a966882d0b06c8c3e870395252fe39891b67123e66d113015
SHA512 eb1d31981f523ed6f8788728ef4ea544f57b55119e60fa6e18f48a0bee5e468ddd2fa2113b30387502a211ffe5b1f704aae9659a242e6a9e9e13f819338a0d9f

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 12d5ed70f4970099b9264fc4185d77cd
SHA1 3c8e4bc01b498eea14cb13f578d89d6b830fdbff
SHA256 395d2c45796b90966395df94cab61606493377d110ad2c2f669355cf92b36658
SHA512 9132b0c29967accae3b69984cb1d5f85ad7670e8ed0396cc8cb7da4e82a4625b8cfea45e44718278ac18867451e50bcd4562d6a389b05e263eb9428cdeb5411c

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 d5249cd84f2f79ddce8a7fed6dd8d286
SHA1 a5587195696ef252efe9d6ddfba03de5720c47ba
SHA256 69ba1dd37a56e44f4ef2b44ccfa512655bc1e6bceeaff99b7cf4799f9ca250ae
SHA512 eae0bf630ea0953ce91929a6b6d8679fa5721ae88ca4e44b516667aadad580d6d3801527e1cf464fbe945e52fd9c978e8f8a3637fd581aa62bfecda82030b3c6

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 02dcb317f7e8dca9ed65f0a1d27e8e31
SHA1 0fa26297669c968a0dac10bf65e6eefd5cc11c75
SHA256 c5607f8d0494f33e255c9c663b4009db6076ce0f1049b9637fabe79c0beb7b57
SHA512 135b82ec26ee94d3fed5e4df4b78cbb38af9b4f32c71276fa87ff5506d106e999f1090e4f7e7d6e30e072d089eccf2dd50cec3b978c972e78c0e02ff83a4c2ba

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 30aaea915bf88ed93c60b6a6eab7b712
SHA1 17a4ac245f8dc2b5a15ac0956a624df5b7f9a693
SHA256 d1ac29c2cf555845bac7fb46bc3b411f02e4cf427df937dc1992b28b6dfc21cb
SHA512 237aeb2481abb8a2543ce0683f7481e9439d8d54e3e0bf8cb2266e384b7dd072108b77d298d95a225d620866b6eb7a6ee5b50482f3b2adf95a9540d888c882fd

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp

MD5 c070b4eb0db44db8932d3aa4486abef1
SHA1 4d84868e6018c99b9e0b5b51b6974b3db10e8d07
SHA256 19f5fdbd5e8c9d3272c89be8d910064c5b8c36486a04a17602875d2fe1bfb934
SHA512 54c7e9e3d1529c8640db044a28a614e80585a284f185b4d2ccdf3b076783b82efaf1e364c14e46fd5f18e3aecf2a74629b07de1cf4a07f0e05bb8d6ecb2f2e76