Malware Analysis Report

2025-01-03 08:36

Sample ID 240611-dyh4wasdma
Target 25f24ef2378c7324383432b997619300_NeikiAnalytics.exe
SHA256 86ab9534cbe7ee01628730f79487e087ad701d54bbdc177a667c55c8eb146ab2
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

86ab9534cbe7ee01628730f79487e087ad701d54bbdc177a667c55c8eb146ab2

Threat Level: Likely malicious

The file 25f24ef2378c7324383432b997619300_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5311) files with added filename extension

Renames multiple (3879) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:24

Reported

2024-06-11 03:27

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe"

Signatures

Renames multiple (3879) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\DisableConvertFrom.rar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Mail\MSOERES.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\MoveCompress.clr.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextService.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe

"_ThemeSettings2013.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe

MD5 d492cc6e4b981b8da89a065166763689
SHA1 4e9a4aa6e7bd699797c6462794fa4f85bfd09d8c
SHA256 490d9c599ffa5b3e510f4fae5d8d4ec1304a4ed295ea070110609a70d987fabe
SHA512 15fd0cd476c351c3352149daa130021eb4a381c7d72b4a0237fc64de2b28d2d3abb6f154bd5073d53bf85398a9034058439ad4db61fd4d3082c695eeec54350e

\Windows\SysWOW64\Zombie.exe

MD5 b64ca93f2326a0b98eb9780532ad0ab2
SHA1 39b09561546903d686762ed54b139f000e199a51
SHA256 84085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1
SHA512 5afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp

MD5 2f50243e56d946c4616b99d8e2bd3c91
SHA1 1ef8e2b7f94febb2016e05a336d73d3411e897d3
SHA256 1a5f8ca7a6a3b148c9b1c3ea4e855bc6e55affb67c4993458de068f160758719
SHA512 b3dccca1ecdb57690d6384745dcb68a6515e231cc6eacd4c604c89ab0726b8cc57bd367c6a0391d508605f17888eaf5fa010aff7be6c678293995ef1765613ea

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe.tmp

MD5 c398643c1008d65584d1d0a86199c081
SHA1 47c84abdd5e73d4a00c8062f255673a11067aad1
SHA256 69d9b5e774968a214b2f4ac406ea14302aeb0ad77726f3fd99198f4aab2b633a
SHA512 f13d026bfed6e992523e66ac117b7019116fc2dae674f885edb0dd5d5217b9bb0acc23dd0dc0a69e06cb09cb8990093a26209f3bd3cae69833e85dd1fef295ea

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 73d0e1361557172eec9e9826d20a22b5
SHA1 8c3c0bf806a5da67ac2c93dc79abf58cf37987eb
SHA256 21b79db581c5ef28728e42ec8768f59c43b2ff8e6fd252722d02f49900ed777d
SHA512 31ce0947bc01c6bf073888639c5d266e54ca755b1f0e6b1a632fd968987f021d9a321740588f09b4883b5445a6b4d38be404c65e4a9c3fc43a9cdb12bb6122a4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 527ee0b2e730ba2dfe98ff478e5cd400
SHA1 31ace1ed79b23acc00c33fe8a20e3b944af892fc
SHA256 9766963a5631dc3ca97911c233ffa64da70348c720721d7fed7783170f5d91d8
SHA512 957132cfa700a87152e4cff496e99c4a7f0dba2abe2f28f2dd484f9ca9eb248e27a3e9d448636dddcadb44e9ec3d26a0b67f676ee20ff73246affa9afedc0787

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 d9d040eae355c6d9a4b425b577e528bf
SHA1 84f068cdbfe82f4b9ad8c21f61321d82b41e770c
SHA256 9cdd3a2a6777454eae8700936969b9dd1cbc9effcc1135980da7c38bf4890c9e
SHA512 8d8e46edfae2bfaa4e437c19adc8a7c8837938655b25608779d4f935504b86abea7d4ea01314ac0d818e902d7c51882adbbf6c92e004c950c1013d6c4a3e025e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 85377dcb0219be7ba9ddce53764bc75a
SHA1 9179c4823551102c0e3149c7769ed31fe414e181
SHA256 e1766825ed52ad96f8d1ce6d6898b4520b79ea9ebd92b7478cbe1ba4a9afa099
SHA512 e41df406fb39312841a998d76e1958a63c99ad2cea2508d5e7a2d789e4bf2ceaee5215509a05c861b22ca8954958fc58a4a66de116442e5739df2365bbf43d68

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 1a1f12de06bc800daa4aca55485fc4e0
SHA1 b173b3897f7c19af3a5897e6be5b244ff222aaad
SHA256 5d0a99cba29204cb94d75eaaf3a5c9e3661c1229fabf3f3e11b9544c6b61032d
SHA512 f7948f0dc61a71bb7dabfdbb7ef8b2e109b6999f718cfb4378304278dc80c7d04ddd8facfe8d3d30e7bdabe61eb322a0e43fafd8683a8bd7b0d4966465b51c90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 6eff45383648b2a467efe10aa0620adb
SHA1 70507d7cb2d7a22e2b0374dfd8b81e8f3c567875
SHA256 0ec3a84cbc94deec395d12a30468fe25beb1adb043f693f55a44831322a29712
SHA512 66a1c0c9e6ae22fcace20d636badc5a0e1edcf71eb9dcce2a4869cf2b95e5265f87cb1853d5996283082aa1279d02be29e87431de5921d383f7af225e7e75ae6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 071f940ddef4fef64775f5ade17497c6
SHA1 3f31320f53616861763535664a6e9a1cf8d6b5c8
SHA256 56ebd8f327162086a1464f3ea36448747d6076a2da4b175058eb5af024950ab0
SHA512 1c22684266c832fdb688de95fe96d4d837b79fa46fdc3497acf4379d5a731c4d1af2527c0a5007260adcc55794cb16c7e6839ebf1c56c22a32a3ab0bc1efa041

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 bd0784553fea5b0798f505f1a590f1a7
SHA1 246d5eaaa7aadbf820c427f0c6773937a4c013ae
SHA256 c65c54c6edf552c30ffe62a855dd12f10efd7aa741edb4a7be906a363fc120ed
SHA512 8bb77455f9061e63bf25fe0e37e0dc23e17daa6cf344b292be09e6c75ce855e54892129e0078ce56ea8e1049885f01bed7a8a1cb7ce77494301dd42e6c672794

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 c22988e0dc87a1a386ee950eb2c50baf
SHA1 f516fe284d5eabb889e48893efe5eafce1a817fa
SHA256 ad725016796cf10911c09d6cc4aaa21bf1aba15bd7ccfafb412174c6e2e233fe
SHA512 1ee7faa38058ad660dbaf919f3661e6520337d8ac6f6057de6455d08758d5fcbbceba521148db27a3bd267b2bbe8f4f0297d9d9f9977ba4094e8025dac9c1903

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 cca848c8597f79f3fd211dd61b755386
SHA1 09aad81354ef54c3033ff97fa4cc6706807a5b9f
SHA256 def9469adff6905abd8e02208f914e8e3702223cbe36a5754625fb327d93ec91
SHA512 f23dcfee102b3f5e49fc450b259b7b7e2dfbc8e8a43807ed183be3bb40d64f3e7d36dbfd92c7e619b21d89e376926cf5b0b759d8c16ff79467fd30d0115071bb

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e3c7f916e05477272818ac9a79b94497
SHA1 de19009c9ce037ee3e09c15bbbbeee300bee6de7
SHA256 c580d61ab7d4c089e438494c9df1ebfbbb951a250771c28f1f268cdd9e3cbb3e
SHA512 8531fad95108b9336db046e1eb863158fb150cdf49d83ed93580d68bd265e6b29d9db4e6e87d9312e5933a89ed26fb1cc3c82d825b947ee992f04a263011655b

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 8fa17b0d0dcdab351184376b4deb7eff
SHA1 26635417a8ab8c16d99ca3677784d4a8d710996c
SHA256 63ebedf6cd400b4dba31e46be753d6252855262c28050db312fca759d68dfd43
SHA512 4f3f716d27d2969d3fea1feae9f931ae74e898284034e547847531e1273a5dd6f6e2948aa35046b0e2dab5d424c50664f11958ffde3253799c2b0721fce1781f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 befe9da9b1d42d77c36d90652c33deff
SHA1 ba089c00f255581c67edb13a5baab2f42d24a521
SHA256 a92ca84abe25aa459c4623e74c02ffed8a6ce15d1f9e2b41b0d3628719f4e03f
SHA512 4ba2dc422b2cfc49f5d124b2101992c51a438ca92cd39bb60a52d9d5ae143900b8886dcc7973f309a3b25ee52ac9b0c69f8dc231098d6418e49d3ac3c620b7b2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 3bc43bdf012b78a281cc6f6ebabd6409
SHA1 7510a69fca65394053f5ce8b249494ee5ecaa8dc
SHA256 1f940e6143f2cae49ebf2c3ecf4853820eaf00934be4a734993b53a83713c676
SHA512 1c7ea236426aa9822be7cbf90335433985579f2bcb3816f9b5c86fa8e6325d2a9b992b2b02a624e3eb7bd26be39b204dd4c12b69359bee82406f6379239ba463

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 9f77693dcc1b3c0fee6fb5fb7a795f88
SHA1 c9c3a68eff85355d6b5f88eb3e76d22251fb5fd0
SHA256 817942c091555e697b6158fc408fcf02a5e9f2f10940177dd01a843598e52032
SHA512 433ef05406ee987cd5588d5cb17d027112e2e74c8240a1318d6027953bc644daf061d635adde932931ba6add9aabcb476183363badab7f1578d2a2ca24593eaa

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 f8ab86d06feb6b0346474df72951d674
SHA1 d1439e29e429080b1860bc3d8272b9cead53fbd2
SHA256 2fe5f796c3f2d31ec426aec1379b9a9abe5a95ad4417f31089c9d704e8ed2385
SHA512 7580ac5dc1d0d0bdcf080198a05c7fec5cb136da79d045890096152960c248321fec94aa487ba76c3be3cfedfd4a9f7e599d50b5ad2b6e8b02c375f0ecbe307c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 713e66b68d03147059de512d07c9fe7b
SHA1 42339d07631a420bd89fd0c1a6e966531a1c9596
SHA256 bc9e1f81c9e25f367e597a159730ae07b8ed99a8e4bb704379cd988f41545b02
SHA512 bcc731b7cb19e27d8eaa83c204df77f56bf23b37abba5d5172ec53581d355893176b262d7e8302129177c4d05f571b230bed6e2d4b2a87d7dbddf5db13fa6762

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 e2977e64ffce0882578bc35a44ca5826
SHA1 356bed8e9ae310203a03ee3dd14335a09d524966
SHA256 df0df167489fab1d79888de72c6b5f11752e3a63408e07f326ba6c06df0b6aa3
SHA512 fb9946b3a0634c4c079c75656c80383f08067dcfb058aa090504f03e907f30678a3c81b071227e82c40ced1990075745755be5356b12e2a2cf7e7f8d003e2b29

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 332b42a6730466c7dbd1829b8a6dd55b
SHA1 c5138abd1afc7dda96b7a3533c2df4527187e92b
SHA256 aa1775fd3a3473db5084286eaacfaf77c06ad8b3e0bd8eec8ca60620a175a21d
SHA512 04d7a300962ed31d69a1aafdf360ead6e900c40078dbe060cfd489751d571a6c2e7cad11c01669098383955cff8f21477e91abaf530093fb0877e17095d56c4c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 15028f646770bc65f65c50b625067177
SHA1 f6477b2548c15bf825398cfd1aaf02b928753cd1
SHA256 e9cf22a442afa158ab335e47dbd593fa68c3b32dade1e1b7a1cadb571090714c
SHA512 10884481508dad8e41c3e1d8fc5e11f8d4dfbbe8354aaaac5083b305774b5593b15de1effa6636ee4e4e8a7b1889f7c0aac73a53a1b515f8b11a7b1c62293a14

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 a9a1e90fe8ea46412d35a6569b52a8fd
SHA1 f7d25a8f69b0e075ae382c6e3b4a3f944f3aac51
SHA256 71218d46d53521e07493be32f0f7d3e901eab265d5d8c4141957ebcbe7778597
SHA512 f966fea1974d3608d3fe655a993dff3c834c6a65173eee238afd10a391fe31fb52993d8aa8703fdfd667218f6991c719a540b29c12b5f718f81a479b108d4464

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 e1dfbf1de09b239323862463d19e9b18
SHA1 6073138049025b742b3c6fbeb8d9155317ef57aa
SHA256 7e73f20c7edea4d251d381d6d9605a2c55c20e46e5d19d67cfa57ddb4d02fda4
SHA512 35ff1243fa5025a382ee95f17682453fbcbd84a7ec8414210ab3bac4e5b2bb42f29ab038a8911bc6a52e7dacc8edbfcfeefa4693dd20ddfae76ed3724bd7fd30

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 efcdb48be575ab1b0c1711d9cdfffd59
SHA1 b2c22b34da6a8c3397b9ebc7f30803df28b1a91f
SHA256 c9518e94c44246637e83b9b9d5cdff8c639500d9e854845a0ad0ebe1af1a88c8
SHA512 7188faf5c0d0c94f093b5bab63083f6a6677fe62a2db536c330ee5a50bdd8bf0f9ea21839da09112d5d1519741300a7349193ce3eb3253283fc72e140ed4adba

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 6f9df74f060d31533ce537117a3cb42a
SHA1 d20e02973f24a4d8c48be365b8d56d2b54e4bccd
SHA256 437e780064862f8452aa6e71f2db841bfcc263cf5d06fefab7bdd300e2e795bd
SHA512 f2a7f58ac3a0bca9ede31f7037f202823b4c9d993666554f0ced34c615abd582008f1fa1cc305db4f8ed80e6ce1083a26021a7b975fb95ac9cc6f1ae2c82c71b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 5c8bce6832415708b1198d550bb9cde3
SHA1 1418c9789a363620ff5231d4a883c70e1efef420
SHA256 429a73978c26d00fd75ddcb0dff2b6aebefb5bd4a15c98cd7c65d2c28088a154
SHA512 c090676647a7f232fcfb7a9d53c6607a09377c97624cf409167b0476fed8da5551ea953be0d35746b86b63c71acb5f5910ad3c5daf99ce8faca30bdbaace2eb1

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 39e8872abb5ed35a8a1112ef1b51fae7
SHA1 0d71eb79cebbf67480ec1b93b76de0d52f3f76fc
SHA256 7d6b6b12c9d262eef93e5e1767ea058e940d7e0fada320badbb885d535caf7d8
SHA512 ee824f8848761f4a5d4922ef320220582ba3b1bda3f291505e51a25ee82a3054156e914287ce3e8d231ed07daadef51fa8fabc85d935f261a2c62ae7ed8c60cc

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 39afb4d34ff43355684ae510eca6d9f4
SHA1 9dfc5d9252adb93cd4e4d1b498c71a254ab93409
SHA256 b27581fa1d6a78cf5a6ad8c822f8b1d6afb4e863eff4e93e01631a0d412a7cb7
SHA512 eea9f0aaba6769e074514f51e35fc0a3c2638fd9f1218bc4864d1f74ad1090df25c99879b6f2d3c7737832e308e2c3e750a44e5162be805fea63f9799ec2667d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 0a896519e26351280d6d17223e98839c
SHA1 3fa3f8d4a797aa6f4eed4e430dbb06c7c712b62d
SHA256 cc8329c9892969e0329eb6627dbb7a6a2100cefd88d6fa6f12ebefa235c39c97
SHA512 421ccc475f16acc38ca5d48f395cf4c4a7164054d5b23e915d83ba3a922f3ca456130fd25fc92c549acad30ed39daa9262cf5a5d2476755d2963e1ea0e04c607

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 7aea3a3cec4bb03565a3a499e4ddbd51
SHA1 558e5b2ee00a76667a819927b572079ab376d850
SHA256 62c4e2a351babf6871290f7c84b3e4d558523b8d9313bdf76de435d7a62b7978
SHA512 63df18dda70e7c61b137f9b89c6bc1aa4617130238ef5bf295cf00c9f240248d1db7aa627ab83f0a19933fe258f87066c79c9bcd1dae95abf12c4f94caf1033a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 3d03f336c8775a4b819a174ca627abba
SHA1 0127618052df908e55c941cd0542a1281fe9c5b7
SHA256 40eb1ae5766def43a05049b75af3ec164b5965ddf7b5b7f299fdaf40f01dedde
SHA512 87c236eb77bd123de36b9824c4eb1e70a910dcb19366fca1517115a5198babeddef70efd7721571829fd3ae7b2b5c1f1a56ca75d5a8f3880064bf5a0beb509e9

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 f6e8a8364c265c1725391d335dc527d1
SHA1 453fd2448b9772304f0de8de60f68a54d058097a
SHA256 d5d815ba2910a090af68925df5f3225b5456105d6947e3a069f8e5ed5e51ae84
SHA512 1be5690112ef25e7e43d4fd0b92e339d4f8035e30c071cd23837fbe876fba7492604f178625095fcfbac9cc36bb1e2c82d1af250a77d91b949aead7501c5df37

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 32e23c0aef4065bc7298e8948ef16f7b
SHA1 f9af8f936385fe4c60902f7da1d54feb255eb8a9
SHA256 ed689dbc83ec91ab59b4ca5f5a5b7765035dda3e9e70f5109a87c4802f33473d
SHA512 66e30423d34fb3ce577dad518e6a95fe03883c209c2313d2652c5af30cdaf71bcf6b368a47c8e668da7a36b0e4944a24492dc9b7a0a189ded27b6819730ac429

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 7464a9ebaf2e94cb47c4d7bbb69b70c5
SHA1 756c599f42c2134956b951e1627c710c7f0fc9b2
SHA256 a39fbc30c0013c4b688f55a6a5369f4c05ad95e376860efd81e681aec9ecef87
SHA512 10bc78ed2c8ef4ae4085c370385bcf4f1288eb0190c7d6224810bbc49e7fa390a4285c5577e5e10a0f5e8d8138eb444b6b8ac80b323601e0362d86a4ffb6b394

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 5d7bd4e31704694fd14b5c32e6f15918
SHA1 13a49197aa5fe5bed397acaeea8337e3f57cb5df
SHA256 4a92f345a4edbc48f6bde2349151fe5a98319007beae1a0a351ce2185f82d329
SHA512 626e0d247ab4b14e356369124338b2b65b462ae07982bc34cf6700c786bea29b5dc1686ecb46aee49b64146f65613e54b419ab4c4059770ec585ce42131f8ef7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 d6188bcdd79f56ae6eff95d2dbec8907
SHA1 0aebfe33aa83b950e2cb5b518168b13fd70043a2
SHA256 5759e32cb490910a45e0f3ca966cf7b8c2448d5df60b0d1e3dca48b346bdea50
SHA512 514fa95e6cec35bf952a35311d3ca5d2e8ffaab731d83ac67a9496f735c5b44a54cc8bc9ad03329b290d235762a65a896c2552c946b04819f9fb1cfd0455ba7f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 fcf4b4bd5b70a3d1e700b172710f356d
SHA1 812a28d2ef1216f2617ea031b3c856d8da872b1c
SHA256 3c466deb6b20c41680db2b9fcf18596d91b2ac77df66e85e987c1a6b7d5a14bb
SHA512 57388cfcf5e6ef7b1c87c6a79343b7add4d48466450b5abb78d464f9b2b457f76442527a1e4a935331c47d7b050cb216e189b7e97cf89ec7fe8434690c4aed5d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 285d7cd73330f744f845d5a702caeac1
SHA1 0bab93730333e2c11881c7429b9b3b8e9aaaa2de
SHA256 54f7e0f0af2633cdb372c92596e6249fcfce5d7299902e65c89b80e446ea5a20
SHA512 14abddab20f8376078a180a3ce04878e2d90ac48f7964874ccc1d150225cbf08ba0706ef094d903bff8a2771cf16abc3f2e0ed968864c2b244bdbc463b4717f4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 5a47f1b2296cbbc60d1fdacf87a861aa
SHA1 ce614f6857118d5389ab67715ac3be758329a7e9
SHA256 2a5b8293cf2bc2079fc9241325d913354a160cda2b9f528830e041f5b7ad793b
SHA512 9e1c9e994a3ddcd8e308dada486ed4d847be5005237fbbe4d5ba45f5314a779de61f38e9d4bbaf17f0a1f7651582d4e32b3958c61e5d65e1f74f2a8bf7f4a93f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 11daaea1ce26f0aa39740e3b3c189631
SHA1 a5b8abcd591debda0bdf2331ca59f7893d5986c3
SHA256 967868aa65f629868857cea1ad1d68f82ebfc8157ef0617b7d10df9fd0f8d9fb
SHA512 488b3f6446ca7feb2bb06f79ac81e8aa04f243cc657ef4f37f1cee1a3fbfeb287b81fb3e24f9fd6d206b08e32ea27991a411a90cc3b30593367dcabc54f6d716

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 b02f74fdad7632b7be747cb26a0b255d
SHA1 c27199ffcc07a40e16505f121b746333a23b7e2a
SHA256 d3a1e4af468562ab70442be9e642d5b354a1d804933fe4471c97fb531a49cac3
SHA512 f5f4e16405e5f8bb3aea52913c41553bf4aa478e45f0aca1ad03853bddb4bb2568ce8fc8fc657b9a8b1da33f9152cf0511f4a142bc832a4251cbf87db13efa23

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 7607d16c981d3f638328e9334d48d49f
SHA1 20cd513e29df62d1d3a0ab0c8d49205ea13e43cf
SHA256 918fc3aefd887801925868ec3f7a57b45145bf6c5e289ed16b7e2b3236942e81
SHA512 c0745dff269b3605f7639623110ba9251e4eaf269e184f4101f711e386129e7d0c9ab14f906677f854b1cce7479c0e563423535818b70a928b395ddaadea1bf9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 a61412d52176387af1cf2d4e2d36efbe
SHA1 3a01746c941b40f0c6cd98c41ff717fdea743067
SHA256 e4ba8e3db7a69cba14e4b233362cb018fb0589ded874a16285ef42f0069eb2c1
SHA512 ef056bf8b1b4753fd1de2836fafdb8af4af70d69c3eb23f56c90dfeb4be6811ce73136239be2e54bd4ac46a06d11b28ba9f4d7f64d28bbea9f1d4cbac12fff2a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 cf82a8c855a59deef6111c3c83ccf8b1
SHA1 b92ec5ea9c5b1b9029d67d314d3696260286a8c7
SHA256 d64a021190b528c63a089a35ab4da0f0a2aa627a60a3e48c2957632ad0ab5c7b
SHA512 defaade8908316bba5375f95e9b5179b6b88482b31a069e0c4b1b3a06dba91848ab303aa7d6a72d3b7080d5e64078fae8c35a46f61668605aa6937e92597aa41

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 25049a587a6050f81adafbca219a3846
SHA1 cf7cf1136b2f19f730126cf9a9c1ed46b0bfcc61
SHA256 1c2edd026dd3908fa5c0a547e5451830bc154aaf97ec9e662296a54ad66a2133
SHA512 65d9d8ccd51715f3b67251f01f4fceabcc8a72844997a9ed2f61ea8fa4bcd7b4c83bd069de716352b66feb06abf0de9eab537e5f14faddb9ebedc20484005637

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 e56ef960bf40a972ffaad2f87c3a0fd5
SHA1 1b7655d1a5bfb30cf9788ecde60aedd14c8e5686
SHA256 0105128cfaddcbac081ed76f849dfe195e2946aed9ca46b78449dfd6efe8cda3
SHA512 a8bff6f3e884512ad6c14a56b25eb655bf915558d74c6bbc25ae5e68ad2f03cf1b40341e8cd0d46e078a68529c8c7a4852aeab6ebe535de746bd7e247bd97891

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 8c72df4ac39b3bf30ad576c3b24a1194
SHA1 0bbe028af7b25a886dd08a369437c8c6f7c0fb28
SHA256 d431c60f9a78012bdaac758aef7db441655540c1a3421805f4dd57e34ad13109
SHA512 5fca42252a09ff73a003bc13d9a0e941bd4e6e29a60ecc05bb19aa4505f8c4cb978609674a3d388c3c64905de91805f97d8ee199200223374e523dd3064e1e67

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 bbe446a7068dfc43d21f9e72494699c8
SHA1 6f8d912bca2edcf1f9b9081ccdb97340a734fac9
SHA256 b020fe2d5bd03456840ce9cc5c50e66a617500e34c6584d2defa2b9333238eb6
SHA512 d10dcd05c862bc44b59d15344514c99d3c6e93b9b61ba0f3ff53467b6cc9561386acbbfc983be876b3b3714720c1934b5bac7ee4a68b83eacbd4535af0fd7107

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 3f622c33b2237bc084b6477202fcf5b2
SHA1 edfdc23d80b5c9abc4e38691fd6937016b5a7c5c
SHA256 29e80b77fd54da01d4f5453dc96f0a1d2ab31b5fdc6a36f349bd951806f23861
SHA512 6cfa305a4f538cdb9ebe09756dba3a51bde733ae24bbbe590d81e9259f889741211f301d191ea43d473e5805072a8eb7e034052ce8ab68604764cf0f18378e90

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 b70d64abed5a12100dcba4fead027392
SHA1 0db41829607b74bdeff914507fd6c1434f7f8455
SHA256 8273304bbffe3122f8b2b81ec8b93112057f7b0a0ea47684a7c850a9cb119b43
SHA512 cee26943b379eadfa3d00651c8721d4ea0998060377a6fe9ac277c2630e9c4054e97af0071ed498c178751046c49515e3dd6ecacd4e8dcb371e824b45494692a

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp

MD5 e07beebf3b2b85c8894debdf81e8eb87
SHA1 78a4a9c10be58965c0b8dc925d65c467e22e827c
SHA256 f5518b462c565747720000fa9300af43c73d13dff50bedb3df22564fe3bd5b38
SHA512 5d8067156d5f17fee3437a9087065f7e4e3c1eb8dcf25f86b097df561dabfaf5935cc0f3558353d5e7e17dba63fe8031fa521a9f3d133d698d8bb2dc60b99645

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:24

Reported

2024-06-11 03:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe"

Signatures

Renames multiple (5311) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHIC.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\manifest.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MISTRAL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\25f24ef2378c7324383432b997619300_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe

"_ThemeSettings2013.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_ThemeSettings2013.xml.exe

MD5 d492cc6e4b981b8da89a065166763689
SHA1 4e9a4aa6e7bd699797c6462794fa4f85bfd09d8c
SHA256 490d9c599ffa5b3e510f4fae5d8d4ec1304a4ed295ea070110609a70d987fabe
SHA512 15fd0cd476c351c3352149daa130021eb4a381c7d72b4a0237fc64de2b28d2d3abb6f154bd5073d53bf85398a9034058439ad4db61fd4d3082c695eeec54350e

C:\Windows\SysWOW64\Zombie.exe

MD5 b64ca93f2326a0b98eb9780532ad0ab2
SHA1 39b09561546903d686762ed54b139f000e199a51
SHA256 84085bfca161be4362c667c4352d92220d1f41f7c4bb35eb0431a0b53a8389d1
SHA512 5afadbaf061826a8e14b1636e979d780b2fe6ee616f2e2a627d2a338dbcc018dd3e8e2436f6cd5dec139ce795fae9f4e42e6735684849cd46f8297b2f4bdc82d

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp

MD5 f9e77721b473356086ffda87bfeb2006
SHA1 7b9cb51126537199fccc13bb92975d80cb63c2e7
SHA256 98eea122b02ba856399cbcea146ea8a725f8757f75d68af8b505c5b75ee3f382
SHA512 20178fc5f02562f154353ce57a60dd5462203ab73a4c4432f15e1815a23b76ed8ad0999a9bbbfc713d91288088cfb16d19f697e3dc162f50a15d0e8298932ba4

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe.tmp

MD5 a59d586f5686ea57cf079709fc39471b
SHA1 d3c6d915249b3f98aeee0113d04719ade8dce0f0
SHA256 fb42e140bdfbb0639553ed4b93e061de8dc373d352301b725b2ec816d4e92f8b
SHA512 8c10d169496ee09694495807a25ffb9976f5840c2d8eec9a7e3fd911d81867c0bac13f8c0b099c6fa3457844aaa4bf6e06d03ef416e1e660df0783ce97edad85

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 c8303fb09689237d53c6472fa602607a
SHA1 a89d4f099e35af2daec675c1a6ac743efce9c1f6
SHA256 21f032e24aa4f91f6bdb5369bce200f90fbdd67c94beed0293b46f3c0a00c3e0
SHA512 05205f56f24b97670d8576392ff9d507fac7429aaf5fa406b532212de0b98f6ab8b7675fcb3ea3db3fef2b9560b706728ef269637c81781fe155f634773c2ea8

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 5aaa788af437635d9a9d02dee88840d9
SHA1 b954386e5379beef67c01873d6f1a255f0c17805
SHA256 1884946b20dac3b14667f151803fdf35e05e14c5409bfabea22d5ac95799ee9f
SHA512 014f1fb80a68e963eeb22e0d2a7174bdd43617891044b58fce8e079f6fd196bc6127f01818188abd1b31035cd15205965cbd872510c2a4680c78527d5455dc2b

C:\Program Files\7-Zip\7z.dll.tmp

MD5 d86f6f9eb9e8e227c3e9610abbfc22cc
SHA1 a3148f4904fc3a2329dd2ff11a560466abd99d6d
SHA256 5ac4111d8275601497cb30ee1ce4122614451be28aeb9f8d0fb6b8183be7e9c8
SHA512 17813964c479222f03001c2682b4251b2f501869e2abedb07c64ce6a6f781a87921d12ac3939e29fd1b4acf87ec0bed4b529b53c4416954b5f69f82eca8b615a

C:\Program Files\7-Zip\7z.dll.tmp

MD5 2f4355fa85862ceb789b45cf872ede63
SHA1 55411cada3793611ae00470c01d9fac247d8e4a1
SHA256 c50da1c57d027a4b17ccccd6b413d05ecbf012bafcd95c9e948b5d5fd1310e13
SHA512 3de7d85723be658b439cdf2a4902ae836f633ec278583fde205befc2530fcf2a5922949302c7ae0e615b5b0589e696514c9f4e19f411838171f067b9865e11e9

C:\Program Files\7-Zip\7z.exe.tmp

MD5 e7d3595c40929a568dc6eb7d6ee1bb34
SHA1 49acb8fc3020933bb5aa04feb288405777c939f8
SHA256 01c2f90ff9bcddd3cb1a2342f783ffdef7919f1f7e8682221729cec8dd22d815
SHA512 83ad4cbab88e062dc229ea38b8c3612e63fa61e2b32a44138a26e5f38f4e734cf621640f83d2886db6cd1890467fbbc1ecccb84244fadd781ec26e7cb354d9e9

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 07b5cf1c5e118aebe7b272f329ef67e2
SHA1 7c396db3453db8590f658422563d3746bd50a0b1
SHA256 8004887fdef94e56ac780c2741b47c387d630ec3c8a1898c7e94b6b7f89a258a
SHA512 d1d64a30e45232cfba11488caf477122552aebadccebf78859d2f1062546925b7c25d3f3692dfacc56f1c96687312a812d467cfb44da2d6fe986fe3f75a4e1ee

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 f57efbf568b3e715fc3804106c4eb365
SHA1 97d5b119e300c3c443eec621034ea6f9a7014c20
SHA256 5022daca069eae01bda48a5bb695c5af695b6c12144159977e63e0588427956e
SHA512 2d13d5551a2fea5174fb3477fc9335f8bd91a32f77b62c9cf6fc4e2703edc16da49cd6b39d703af0e5d3249bbb9979ec183e648676e56ef978cacec9b310c0e4

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 9ad899a0b3f3f67dda83d553feba8373
SHA1 81ea4231f34bd15ee11fc2362c6307f68d67e2bb
SHA256 fd05262e0e8eef388ebd97c0ba34becefe7e548e118e42fae5cb01d045ee655c
SHA512 5d5ba374162162281f645eeb35269723cd78a59907ff1e2267891b0c6ad5a1ce474b0c137604678cb2c7bc8053da08a76acc4cc2d1435fff33791d389bd12907

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 8d0daf2e4a12af66de9068aa8cfea036
SHA1 5403e8c68e9109e7d08667872097119ce946a681
SHA256 862166aecf8ed6e6e7629a9400a66266ac170c4c9cc189ff205d1e486f0967ef
SHA512 3f750fb633baccf25ed7a9c4fb79b155dd507c4511f90011f52c11955aae16d32220731d09e789babbb17bad6723307373bd4ff76146560d1b06527c81e4689c

C:\Program Files\7-Zip\Lang\ar.txt.exe

MD5 8a15de5f9fabdcadbd6e4d759335310d
SHA1 b017c0a5dd604ed732b599ad37f153942131e410
SHA256 2d426d136df67010434fabf37f73e56912cf64935d7802df1e13e48f28e99421
SHA512 0d1abb6b12df912bc3805ffbbaa2c157f435a714d3f238ba173e2d1dbf43f17dba5abd0dddfc02cfbca20881d44bc6539e07d58532cb9a11e33bb564558f4fc4

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 6a1cd2d5874027c9f2b6ec0cdbb74dbf
SHA1 1079b17e412bb0e44551a7f2a5b3f12f1a082884
SHA256 c6a6a6303fc5ced26cf06f52ae7ab2786775226ddb0b1e50581faba51970a709
SHA512 83187456cd584c8ff4bfda5a24c25bfb2a7859482888182ee8ba1a27ff1a87d0dd8c5aba018d55cf6d937f52ec9209a27523b0666adc51a41773b4b5f8685e1c

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 97c1cf1d49ce4d839ce6dd58a80da7fb
SHA1 4ac55cb37a08c43f8dd6aec1c619df46d222d650
SHA256 b5163b5ec1bc1ad1e7073b601fa2522f9f19f1ca2af1ad5176461a18ac0c0883
SHA512 31af55a01bf925ffa958c387f4e6ee37f08c20e16ad2478f9193790188e36a8dea8d4f19d49270726183cbbde01bae20d4f3107c23153a419c6e8b9a0aa4278d

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 3ce99d9d0f1f6ebfb79feccb9a767bae
SHA1 e8162380215af789e9815d5bfb71555cac81e562
SHA256 1155086fd21cf57424979ba16fd6c9a6666df3951cf742d3a554352aecfd888e
SHA512 4d8bd456393e49f50708260eda91a12256e417a7170d7bcd7e2ee13713f8111c0c23d73e1b45d38aa627f1c24773b6c406884922191998f67545d99d1946c8b5

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 164be76af7a83a0180345ce3674a9910
SHA1 5d3f05a346d5ccab5cc4877130c354db051396e1
SHA256 f2fc7784650b01d8ac34e56104b860c2175ea8ca6c21c31286927d24f18130df
SHA512 cfffd781ea5ef798e001c0bc4d440c5f21b3e316db88c993c39151f10d1e4866ff4fe4ee57790bc8af67af40a917d97e41a377c3846e5016e40a3fcc5a90a861

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 b05ecb14859b9b2ce17e8f2f5eabdf9e
SHA1 b8c15456993e9c8100249bcf0d95f37afd5715e6
SHA256 8fa7d688e88226b4afec281f811e7132d4da961ae5d5fbb7e1622cda6cee26a6
SHA512 040b3b65f8f2e5e355c746cdbaa00c8494c5a5af6c3cc396fa326bea964da2d5ffe8ca4922d370c872f1d46327a3470927f266f351555fc0803252378b8c1dd4

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 e823b6d2ed4c7fc05ed2a4f94c5aaec2
SHA1 085a22fb1c43c44600d619402f8a6549c67d9746
SHA256 20b4c50ece59a67f9a7421a7c5ad841351e33aa07768d840af00dcd838e1f0fd
SHA512 fa0c14bb9fff1923948c4fd734b22780cf64f04332288bee42323ade78156bc5de5c4398c1bfaffdcf3d54f181cac34048e27f4d26349d521b06a7171cdaf857

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 37e07f1af6d4ca69ae1470516d601aa2
SHA1 83910ecbed0a4d516d011e317666e911b1385f65
SHA256 c9df2963fb34fe844fd243b9f74789e39575d03cc38a231ec2092446c355a027
SHA512 374db94d72c07b5f3234b695d2c5dcba4c4f6cf714047fc578dd31fdf0354d6395d5ba373ec4762ba2cb5d602dc14a2a0553009cf4a49c410ee2499916da1ce7

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 89047c0e0db3cf94106312a4f78f12b9
SHA1 fce2a921f1305575fca9b163c1b4edfd9f5ed6f9
SHA256 431b19a7bd08ad16b1bdf4a8e75856b6b1c9ef198041618100d4c8811e522301
SHA512 a0e328da889ab91fe2dbac38e430b0a72dae3a24a39b845ae04e350125ab0f4dc7f78790d5d9e1da665852c3fe55ed11e7bd5ff607a1113c83657b1b4d727980

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 d004be34e2863fd1d84227664610cd14
SHA1 d02994d2183acc3a97519db55987e393b24fddd0
SHA256 9ecd4e0fde94250062dbf1e87a52b24ea1677434b86ee97763f04e06b8b590c9
SHA512 fcec4fd7f387d3e3147e2197e26acb0aed8c4cabdbe1591dc7440167876c8e2c7de07f8ec10e1673a2781ff877c71ca03255ba0370e6aaed40d964185ee5fa97

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 6e20363041fe993a03b904d980e9af14
SHA1 35bc3ca3ec8c23319b64d98a48797a6d978fe440
SHA256 415352cecb59e9f9dec1fc7d86886fd5bfc51238eede863865e07a9a60219c9a
SHA512 0ddcec6fe31df04b6bdc410b0a91f009417bec26d37128260d54a4498abf70687b9313e3fb5e1469ab7a3a0104c0748660b8a3fdef38edbbe6b2a8f5d18f5d01

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 d3746f529a2f78658d231ebd08797494
SHA1 de95925fc6ca1a76fcad91cdb0d3f09ca0493eeb
SHA256 3e6132200a9718b51a98c655c7f74d239ce5dea29f35baaeea6e6cea61bfbf88
SHA512 789837e02dca7f422f499f4e4244115ff76b0d0f8fc99bc304e03c6a778c910198db3cae3867ae5d7110e4590ba91f4a14c4e9d776900f3fdd97670e5b554dd5

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 62a1e642bd17398fd718d42bce76e8d3
SHA1 1e47c9336fb95ee76a7aea81700c5e4911a17a6a
SHA256 80e5a1d68634262353d5fa0fbb5623bbe153e15589e88a0d1c01b5ee41cec12b
SHA512 5c19ec9e7a0180cbb6125d042e714f5be5993d8e1c3485ec0653f7b998c032400e5d4404f4d9a48159ff336ff14b34a33a09e2d3748d4b82e0506d5ecc3d530c

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 19c538ce9017e5061c98e12f6e6f643d
SHA1 b4a01b2b1361d5d2b1870b5b1893a0582e20e758
SHA256 d2ba50dc0fb672dffb7d91bd8457bb6e7d70b9bc37c51f612f19ba48d34f8e4e
SHA512 d46306f6404c4973bd2820af19713d03902227252bb71609a000955a60a1ae2469a43d9470c2d13b8303a65d281596b515e32591e33f07ac116148c75a01ade1

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 bc263f5fc762fdf20c5f381fcdc374a3
SHA1 0c23331d2a4a54c39eab124be89f66b40216afec
SHA256 d60e3015fbde4ce65a4b57a83efcac04bd20bb05bcd90eef24832f3815e6fdb2
SHA512 0cf7c1cf40f8e618e27a8bb8cae662464b2fc153e762fe8f3719fd4838fe5199b67f68369e543582cb6df86341d1f4d63dbd6d6de6ceb1300e0a5631beca2314

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 cb7a86480f2ce465053631c83c848e72
SHA1 fa6fe91d2e57b56094dc0b12132f621294034959
SHA256 725682dbc92f7420ff342a5b69672a0ecccd8d71b64b8358ae4a0a152cadd6ea
SHA512 85343ca2ce74b74d58d6b352a54b4c2d68c49a4344c5a9841ad9582e555b8e5f41ff43c0135c0ccef562caea61c10baa448c9f33bbc68d0a9f5c1510986625db

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 abd36b057f13a06f5788359ec34a5e07
SHA1 5250373708d539ac8a3daf34bf980db19963967b
SHA256 22262d33124d6b6c3897e024c89e54e2e07944a9a98a692a763593eca34dc784
SHA512 a32c70f87a3c24067276ca489c2ecabf04ecba7aa3179d88f33c6904cec6072e81edbc93b349610692325acee3c32aa686cf1f7b6b266db47f5e8b5d6fee01fa

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 06ef034f1fdfbee3a61627332262f487
SHA1 2b8a3598652f5a1e1bd635108312d15d57de1126
SHA256 875b2bda0765863ff54e6f730287be0b037160776e3ac3124da8b0e96d42d5f3
SHA512 56ea73e7448279d1f56bec278b94c182787df874bd3f6bb4903da018531037445ad146601c921719f06eb6a2d627330cdec526c1a0d3347a0f9524fa1fbabc17

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 fe1e0e10515e9f0a28f14d9eaca28b38
SHA1 7e9d4f92f43b9e4e53dad93784a2e22e32e5101f
SHA256 b9b922c20eb2558bac9de632a27dad2b7d30f14413419330274918f7673844f1
SHA512 de2a1b2bd05dd8840b5d2d48787f3f21baa88e1e0f55c5592ebea3d25b7eafc27a483b5d97b955303cf5b5ac38bce4babc767264e4fc1ed7329e8fbd7cf7ae57

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 fb5243c9871297728ad2d716298b920b
SHA1 1e817e54e0bab153b0b414099b23e020157ca52d
SHA256 8cd5d7f89441a578c132c2f549e6999438443920255fde9a224d9a61123aec76
SHA512 5905124e05f1f70048869b6acb6e1523adf100dafeeea7504651a7c6dfe51fa5ca69b8bec05acb6a6f79fefd4d235a01477f18d0b010b4abc87ce601afabcee3

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 64ac05da7dad39c2be27b7478b9503fe
SHA1 d174db9bdb43913831479fc82f0247e3bda98dd0
SHA256 c1a94b268efa175ae1b9e144fff3437fa47d057765920e5a3f69b35fde5625ec
SHA512 0b50eb71761e3ec16a5c9b50d3380925d49e22305bb8cbe6f041120f7b669d575ea78a8720ed3187328f93e54dc2e9cca5b2c85cc76d2fb55307cdd81f88ee31

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 ddc407c494bd4183a8689f1bf776fe9d
SHA1 50a051db1c294cf5110cc3c48f0dde42460e5685
SHA256 2dc59d032dd118dca31a3c1d63f3793ecb6fb4ac145620b48a9faaef1a8e76ca
SHA512 b2f2693fe38e56c1496b2c51dc0908bc3d9c45fbbd94d214ad327b3fc6e3611efee48178aaa482b4b051ba2abaed1bcb975a176415ab1d594be276724ae675c0

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 dc1512ddf5b869d5d6d5effd7bfb5c6d
SHA1 e70205409cecae2cc770f630a4c07969f2e0dd27
SHA256 cae97d514c59e0764c3fbd7ee57f704e5e7e06a40726e375c6dc52ea978eac8b
SHA512 830dee9862639c9e704251f2963a9ea4e3631be4d5d2a938833519e44d986e62b7c37cfc89652a1759bbe2769202273662ec62c4977035eb4cb4a18058733494

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 2c2d457386855d57cfc934fdb28a2c97
SHA1 758266f0ab7c7095d23e4dbe32b754b8cac4a413
SHA256 54959fef4d2fbff332fef3bdd44d65ab36608f2317f8fb1be98104e9ea4c6273
SHA512 643d2f81cdb0e045de0a9dc555a54f6a55cda9022bba8eeed51390367cefc40a70ada561773ceb4de23b9bb9612f64e2aa38f4b591168209121097269d452583

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 670df5e70e6d957da1a4abc9a9a427e1
SHA1 2e333d371beb6147eb48e5bc7134fbb0b62aa15c
SHA256 d8205dabe40f02d4bd2fdedd44288e230f39cea7374ea8a8714affcc5061cf21
SHA512 e68413ea06aea14aa5e78dde30dfcb8eb60c42dffd7aa2807fdb865bf82e97ac42b367a9b2aaa448c629416dc567cb06eb1874df6058621982ed7f6950d12d93

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 6f6240b5f5775711fb8d2b5434afaf9b
SHA1 ca36b443c06b1fb9dc02bae7461d320930430392
SHA256 4b4e36694c60cd6607ca8d4891a488fd0d4c4723a688c3769407a77d49766051
SHA512 2cfb1df436f7d023ada0a94beb1f4fc7dd0415888eed0cb1125544a22ed93e21dea7881ff5c71e9e681085d5a412ea86c2dd5b95ed0b127fa7da601b67834833

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 e4efec28c7e469480439d81d70a89ca0
SHA1 5eb37a8e3d1f9f65db8cd551e3197a44e68d4339
SHA256 c4305e4bb05ccd722ee1e6a87d3dd983f51e832c6809828073b80e11e1b092b6
SHA512 a1d4a4862525205913d2b3e3d92ab41ef19d1c5eb800937440da09bf3509284161eda88ab0c841afb17793da0c8922eb48f1c63417c9a01280cafb29b17aa4df

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 822a6081b7cefb706ef1277183a0d3e6
SHA1 a1d6e8d5dc103396b9a81253327daee0f73d5611
SHA256 9664499d3850388b2e0c82f96d1fb56cca3ba206ab63da019cca0926469d6610
SHA512 8a3b0462eec8ba9a18828c3047b4995f3d64be603ead934c61f755bfd647628e0fe35d74d0921ca9bd7a622331f1732276505945c18cc2160dbfc2c773aed2de

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 ae86908e5e3e4f758b79896c6be1c0c0
SHA1 d4302e96fd5f98cce0279d5f711d00a2f31904b3
SHA256 c41cb5a86ea531717519cb61c4df167149344c83942970bdaee20701c03747d8
SHA512 42944415a2a636c9657169b24c204723c4ac4e28334c521ccc8bc2b1dc736d03f268f0bd0b0bdb9b2d2e8a5a8afe656cf93cb7e659da1252b3145fcc5deea544

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 c6948ee543ab28fbc8bc79ed835c05e1
SHA1 cb48e8a7e45a4a491788aac0a084db9c28722fbe
SHA256 a74b6aa2b71483c375a2b25250c4b3b44a9b277f80d85fdd2313c1b1e90afb13
SHA512 65fb717f74fcea11f0601c2ede8b1f3df8057ad1267923e50e5d6e4e0f0e7275311331077d91c3da77da3c4f0a1c6d5c16751d09afc45fe318abcabb093fe697

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 d012f9932ed4bdbe0ce28ab4e1eb10fe
SHA1 bb176695ba7e7a502b6a4307d0387ff72ee4f207
SHA256 8a4eb75194d8f584852bbe8aefbc504a4f5e383eb68a50d08ba71e57e51d6561
SHA512 e30e168c2d9c2cbb70d61abfb381475f3cf883054cf6787aaba94f8a175e68ff61f73f52ba137c0c8fee8513e68d7446b926124d8d6f1b95662944723e2236e0

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 bb999be6796563294ab7d581d5b522e3
SHA1 44e60d3ee8e9ade587e10c4f20c29992f765a168
SHA256 296baedd976f3642da40ed1b6904d1740cb47c3f97e42a0a9b2535e5bf4cbe5b
SHA512 7f78ca053551dcedbb1063860d7473bbfec483a4afb48a912aa4f236f14173b215b5cf647d53a91b0c028596bcf8dcff9364598c42dbcc6f7ca5edeaf904cb5b

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 570c71e14f92d8311bfdc88e186d0d6e
SHA1 116dd6a25cd85fbcb50ed7672deaba5bb91832aa
SHA256 5564d6a9362fe203d000d58a485da7bfa236f52d89e824472a96351d9aece901
SHA512 f630640bade0a01fd18b1857258adfea980d8065a94b98a044c64036a8e39ad1cd7e3ebcfc9a3dbc9c01eb73cde6329a82add2bd8fb83bd0d5dc7637353b5231

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 7229d76fea1a5e7bdd8eff65e2d047bc
SHA1 8c1abbde261a3d146521ef0126c0b034baad5868
SHA256 4913e9df1e841a2cf8dcd0e5745c1b7eb46885501cbe56c99c8da65921ae96e5
SHA512 533b61c73bcfd0c550c0b34f7a1216044684a72b9fd60957e5931ab8cddc2dc83d97aaf7ae38d27b5a38da511b35e513ccfc45f2bf5887d6a171567d51c9d9e8

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 90fef09229853873cdeb3316917706c1
SHA1 30e13aa7ced7c8839950e72717fa918036e33a72
SHA256 def506c0baf97081b8b8fd0aaa37187eaa6894d8abfeec15eba0386ad6586fe0
SHA512 99a876314241b0a70a5d0639c4babecbd99b3a4097aa23edf0703ac7d1a7b96e9977332cfa7f5fabc2a20e568b189409e94e020b1ae08bc7fc97ad8d9d3ec608

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 1f3b8df9b015454130844a4f984ddb4a
SHA1 de1f0054b5321547d976302aa049c7c1137655b2
SHA256 719e582bbda548b874003d1eee1dab5894e569849774faa9ce2d85239ea6b8f4
SHA512 0a3a2c2b7553949de4b595c86b50562ac1d83d9a2c7d199fb543fb888d8965bda7ea4b31bcaf964a5e60fcd825a48920cb4a06ad8309e8fdd067293b6e19f6d9

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 4766e0733841cae7eab4e6ab89a06827
SHA1 b34464290734fe2b640c88bf1d3f0f78bebb65d9
SHA256 ff2f3742335d90ae4acf9269c7e2be5630bf653b7216b285bd33c18f49490c22
SHA512 82617bf2bc39f9f1bac98d8f1babcb973fc2c0a50a7af4bdf334de746a09f70fa5d8f1eb1532b32c750a1c3d84a3dbe4abd35526f2116c0348eeb8f63ee43a67

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 9895cc90863e1ab209c9120fd6529bc2
SHA1 451d28d52d207cbd82b359e02eae3824eeebbb7a
SHA256 dfe78b77fb76edbdacaecd28cde622a82e8aff35ebde5d9a40d867fd084d4a50
SHA512 e8a0979e5077df0972ca913e114dbd0953ba254472faecf7e5205fcceab5d050f89640a2b1b997d0e2eb107ae8c98b729bc3caf4c0326ae3780e303e7601297d

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 788e7f6e775b3eb0bb0fc94b215dc740
SHA1 246ae0c1b0dd9ac7817e0d79c2d7b70cfedecf11
SHA256 cd83ec2a30372e39d9646f8b304609eeb0d31bff837b8b50327163666ca3f4a7
SHA512 72446ae0ae4415896162703b199c7e4c29c43827d57a87454ab9c7e06f9df246cc5108594f96691c5d789dc4cdc72e22d1988b139d388a30880db98d7d4ed482

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 b20a7c9a906dc79286e43bde3b8c24f1
SHA1 8c76b3ff9821d6d3ec3aabfbdbcb34c9083f3510
SHA256 61281961ba61641aec74e2068b8b28a085e29276d6696477d9513ffc5711de14
SHA512 98ae8f4bdd77cda6cbc1edd5b5b77f0150b824b7a425850ca53edb3f046c8b7bb81a289ad069bb2b2e609c46e797b2e38881686098f1447e6668dc0f46ff93f0

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 ea9da5c65613e40696c24ddb211b40cb
SHA1 5bc384069e8e84d98a14e284bdb0ffaf03d045db
SHA256 7a2ef868b9d9083f71fcc6e57c32e32018315d28e493ebaffa033970257a0def
SHA512 a788399ace211fd3e8d6070a49962bd034e584f4d12d68529e3085761ae99ea2202095cda3b54ab9378621139fe95f66b124d0a1bb92cc8812c6dd76251e4b86

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 fccc7d80eea7966403c728ecde1868a4
SHA1 d44f2bb4a2a5549fcff4f28ebd75b5ae32a4478f
SHA256 95e7e107f556a17b6f62ee1a6fa0d8f2eae261e01fb1861d01edad126b400d9b
SHA512 b1aa63464b3441c82f22512088106b1b0dc70ed034f8f3d7dba3c3f1ffefe1fbef84637384602f044fc9a1a7cd9e2036688fba928091bf0475bb65f0901effd4

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 3f5bea824487262795bf30692cdaa37b
SHA1 b973979adf8264bbe51d1e7d988518c40f112e87
SHA256 203e96055f93c2a016e4c797bbfecf9d54e8838102867fc3640b3efa0cb681af
SHA512 05c416c1b3f16f9e42509d59046c5ab00646435056abd0af674468a66a141ab74513ee65796befd55592405e097789f6832f41b193a362bdd7e8c4df3a929da7

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 a73687703b2de9ff16dc1d8cf0dc9b5d
SHA1 445de4884d5ee7a8ad6176df05ed1f6101cb8ae5
SHA256 9796c52cbbca75638ccafbd406394e8b12c782fe684c2e6b68a44c8ffee2a57e
SHA512 f225be5a7887cd0f025b5bd4ff871995af022c88625058b6517d16944b0db460f358de215512a6d3b41ab6c51f89bbe0b98106b9d47bf4f4e779c1c0acdb419b

C:\Program Files\7-Zip\Lang\ast.txt.exe

MD5 37dc6abc98ceb35e398fc8e133d2e231
SHA1 2ea1ed358e0b8cd5677a60688dfe74d95e0195b1
SHA256 b1d3b5784eb1b35e4c674fb572b36019643753b6e75a724fc4ae1f5731663c0a
SHA512 fd3c3224c67a19320d1d5af6daf3844c6a7ae7f308300752debfaad82b33b76c14372c359e6af27638931594c0bfa6bc1e192006f58dd35d15b29cfdecbe6e06

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 dbc359431bec60a50b74b09868710dd6
SHA1 f571cfcc3c84413161858c3348a7a845056b9ece
SHA256 22eb9cb16a0162c283242109d282c1a2de053ce96e907f98bab8d28fdf381026
SHA512 72e2584e60c7f0500aad2c23cb464f0f8fc197fafb4926424ad3050a9cc34b00cef2990591a26065b50fb79dca32fbb9a168d5b1712364c6a428d97eb9f7558f

C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp

MD5 411125ad75b4a5a73ff342eda29d8f92
SHA1 4c9fef8666f7e8a36c1477dcd84d89be69746fa0
SHA256 122bac468341ca02fa8481935f8c719a891e0f13dd098c98d267e6aa4f52a339
SHA512 d583d8ffe9cb4f41bca2968e4bfbb4af3d8916cde8b2e47a2b608a9e58399a482d6b45e5af4d2885961b3d595d784224c3d5018a72e15016c665b56d8744704f