Malware Analysis Report

2024-10-18 21:40

Sample ID 240612-p5d92syhll
Target 3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe
SHA256 68c3cda2c15cbe2cbbd84e254c6ec00c6c7bb7a0a5d66c3f0498d9bfcd1c465f
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

68c3cda2c15cbe2cbbd84e254c6ec00c6c7bb7a0a5d66c3f0498d9bfcd1c465f

Threat Level: Likely malicious

The file 3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5148) files with added filename extension

Renames multiple (4134) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:54

Reported

2024-06-12 12:56

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe"

Signatures

Renames multiple (4134) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EET.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe

"_Desktop.ini.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe

MD5 1aca7c9ea2aa00d865c74d418cd8713c
SHA1 15f75e30447bfc9b0928c91c328e90b817404b6a
SHA256 8c0427c5c977e6f377b92f8b7ae73f0b3e70eb0b21bd17aca6f5db8164cbfa28
SHA512 c5c62d0f13db73bef7e9a650aef9ac9b5bcb4cbaa58bb8d15b04ad8563d1ea6c9881ef06e31b72f39dc3e85207721b7862f4eb8cdb4aaa53c2c14a39d79b091c

\Windows\SysWOW64\Zombie.exe

MD5 a27b842097da8fe8d4237a6bc88cde16
SHA1 e086d437d569538638b494d03d10f37fb4bc96f8
SHA256 17fe786f798fb1a7502748d16988136fdec18f622d908379cd1f7366e7261724
SHA512 03341ec801b4ef229ce6c9ee650f87cc8ba77ae1f2d7c51dd406fdfe4984a1ca56bfbb16f21868e8a67a10420d5e1f7dd7687398b1581962ceb23f7174f87a22

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp

MD5 c696fce6cf61e3a18cdd8d4a0d3242be
SHA1 b1c3bffa852695a11c3594917d1edc06332d83e3
SHA256 d6eeec91be7bc997a95a2e402631bf703c0a1e7a2fcd98419ce93a1b32d008db
SHA512 5146cbd2cdad41cbae01732fda0097293a59bd3cd5801fde58bb227d08982c734d3189dba08d22a0d5d40493f7f46b558d3fd50c8fa3b1d9cab699b43fbd1daa

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.exe.tmp

MD5 da26ccba4948e458576c991e27ecc65e
SHA1 b6d76f7f8545c03b1a58e8aa95d64cc0ee8130ec
SHA256 e93872f276d9ae46d160b4903432d79589186d382608eb3ac48b2f7f5a577a05
SHA512 825086a3ae12c0826385dbf47c3a82a813894822c201ce9a815a244621a08191669916b75a2593065073707f404735f250e8222b9e096eb105646da66403f6e7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 c5d5bdfbc98594b034e6f235a5fb6f57
SHA1 9edb84821f3326f979e7385e8e9fdbf789134f81
SHA256 f91eeb37c08c713fd29306fb3633fc1d44e238d6556fb0dfd52b264570650472
SHA512 1a235fb133a7993e4cf4d5e6499da179a7e05750808c0a98e7014dc61490e1df37331327b1dc08f6f861ed4f7855eadc26c60a2f4772554f6887bf9ed18666af

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 8f55c09cdea7a85d5bde72808c1618e3
SHA1 ab74fb165c6a6a0856bc07ce9049f32d29b01a5d
SHA256 a49c5d2bdbc3d009d1961ae5609eb16cbc4ae5da25efb82b80c226cf872a692d
SHA512 5d763d25b0fb5ef745a09683afc35d3dd41315c934e18c6057a7468777fadba1e1116fe0d685dec1ffc0e9609f65c5adc2b678d993849f55c8cd7acee541d80b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 312977aef2ccf778856641ffc88eb25f
SHA1 85394c32dabe79bff8f06ccf7c437f7be6cf7c66
SHA256 5ef761cd672a6843a55eafb07cd2a8e73e00093e8bea582c9bbb8139a09c1d6b
SHA512 93a1b1cc4f17fc444c5a66d9b60e9fc419a95f342d8833ab7eb189e0d31e819bb0ee9d4654c35e0e5cc2fa5e0ce3eb05696fec397d63f071b6c5d8509765da08

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 f31d8500cb1129b1906129be97e1beb4
SHA1 bdd14c3ca67f14d64ec7043f3d9936b9917f5c69
SHA256 0e45e4b7536ba853b0ad03cf03dd0472033445cb9d489549beefbab0f2bcee98
SHA512 ff6cfa9d5e5ff9e301cca0801b306e787561076ae9573ca0a1362614d8631603d1a0a704a3a9bf34a6d2586cc7e255eae311be89908edb5ea17efd249daad72f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 4f5199fd6047f04de751c249f664104a
SHA1 18218e7ea8b4e98e2c9084004b4a81d20f5734ad
SHA256 c023e256a6e925ae68e30facb8908aad8c724a5d46dc1519eecb21f305bcb4c4
SHA512 0653853339e7c1f8b06fe6e96c8d49bb8c0fac2661bf598c17dcda9e9af5ae05cbc0e1b255dba4e25bf55c0e98a3c5405918d196163b40cc67fc6b5940509258

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 43beb0bd641725bf4b8426ea6e608414
SHA1 3a63105411b8b6bb4303d8b35f1be93f6f5e1de6
SHA256 c1a8877b8806617ac1b810a406962105aed505d77231f3387180b68b19f37782
SHA512 a172775e63abc261d28b3ea9cc63a3df252039333f20678f8816887efb92d562f12c66b9e22904ceb502a2c00936638100c6bdaaefdb5bfa673596dd1d6852f3

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 5079be4324e4c429b2378acef1386107
SHA1 e24ac0b13a0572989233a9a38b5253d5f353fbc3
SHA256 0d90f429c2280cf7981fbb4c95ff4421bb5f13c1695d3d496e1b50ba54d9bbb7
SHA512 1aa2293cb87733a1c83b32b38d5752edf4d1e7927122267b2ccb23982c8e3e63e78d1161451b2c10565591c060c3a9623c38e7f241ec4d13b673c6342b197196

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 9aab4a65702a95e633d96d20a10bfc6c
SHA1 b2d04d38bc719bcf614b9bf51a64e480ae5fcb48
SHA256 694bba0f26e5fa5f5e01d169fb23dbfcac022eaac59e168d0231e4d1b6609e69
SHA512 ee50322310212aaa25592d826f3b1d4a1ea9fa85f17c485a5851a377dc6630cdc36216f574a5ac00f4a3084171657de2c61c30a914c4e8a9cacce8894215f53e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 fa761e15462952044b2f0f729f48887e
SHA1 b04d56348a3913ba26e862b2243a042c10b3b89a
SHA256 0a6df15038254381fc3ffa3afa2bab12094765de0c7ac469b2e03651dc9cbf3a
SHA512 a315bc39eb384039f94ba3371111e2ad98bde972aacc0f60e57c1ce7ab0d3a8e0df530a971ca8c8ac4e47c32085b484cf53ee2b32d1bf24376b34537aab857a4

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 bc72eb9fc20153d20ac7f8f962ba6c30
SHA1 8a81b04d22fcc9729430c6860fc8144c6fbbd2a5
SHA256 f37fe19440d115147962218205d1f196f8cce089ebc1827ad23a3b971469169c
SHA512 2b7a9e0521a99dfb765091ff5b38a7fa2d889c6b145741b77a55d00cb80f270c6fc4637f1882e6307a5e47043c3451d52c03f4fe17026cb231add7188522f986

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 99b0a19a8b9cc33fc977b3f01ffe03b5
SHA1 183941970855e1c71179c9486e45d092f92cb85c
SHA256 d47050f9923a9d9078b58f35d4e5edbbc32cf9284424af5de49f965dcb95406e
SHA512 4e80896fd07ec7da22e6832440449341cc1a100e5719d0c5684876b84ed886034a08efc6658e76a7f8747f18569f9424d1d7f42ccc60fefc6b5e77ae53e30366

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 726bde1b2ff282b627f4fff2de6dd9b3
SHA1 cf28eb92ff6017dcee70974f5940feb4c17caac4
SHA256 622e4536ee1dd2969d188c3ba9a85e0da4f2cc41516ed664998ac2afca0a7ec7
SHA512 00f6b9ae38fcb7c4bcc7c5c2cca0c2fa98fd7b4567b9a4bdc8de160317933c16f696b2c2284a9764ffe94f4b1746b445946296168c43f461baf56b84dafe792c

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 3f0bd75ae47f4ff3b4377d502e09a2b7
SHA1 60d86e91939b6a9688d7d91cf8ffdca19a2b7470
SHA256 cc80f0f94b590a05c103b7eed5adac68dc61ba8ee363bf8c35f84f6a30efd36f
SHA512 63c58b0cba405b12d00400391e046261009b11c99343b2f098a3253fe020f13014dd58a582290a1b67b411d5f77f40dd09fbfdb4260f67516d0eae33b4515b2f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 14bffde5e3ad905605aa600eff08e87a
SHA1 dbaa6060eeb9fda6e347b9776b02d1944c2f073f
SHA256 badbaa3fd854616ca74ad0dc4f035585dc61fd25ab1ca8cbeaeed4b42773aa5f
SHA512 12520029158ea94345e1a11c318f69d1dd43bd28f62afe1478064162294968d360bcb94031963d7a6c92db52b819d38e7b1173621441296934640358d6b9d78d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 ee74cd8be8d8153da1138f7c2312128b
SHA1 ee191c786e4a1fedc03c2f6d0ec9e9c315dc44e3
SHA256 327dc49f1b106b792037f7b760286f8432c0b97e8fcf925e48647b6c49014f5e
SHA512 6eff02ee2439d00f6eade48bb9238fb35dc38bb3acf89565f9e41641ba90a22bd2c5b10f1fe88a6cffb306c7aa7b7fe42109f4bc79e3112ea0f4d46190b9aac4

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 5a0fdf2d7f98142995b9bce17812ae87
SHA1 649ad9316e3367d0252829c911f7e59a5de7775e
SHA256 97af9a290a1c12f2b4d4e7df8b0eeab99fc9904c1527689bc88c9e3a7b71698b
SHA512 2985bb1855ddea603fc2d6a370ae1936ad5492a808f5911b01d3a86715215b41aee0492af4c19910f316f4bd87105aa7b57b468f5f0468a7c4e5383fa2b60736

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 3b60e624a38596a3919de593b9bd9e41
SHA1 b01f4c5d4e1e570844322809542c57bf9caf0825
SHA256 4650caa4a90b7ce576006a342cd74405260fd91f715d3ece38666ded6e2dc1a7
SHA512 df4cd33a7601ac4bb507a300f959570df9bea79e30c5280a50e2a52502231dbe5d36f353af703a94064f797a23ce8b727ea22e04757d6cf6a58f8d19126fffde

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 15fe105894d4433be6e0da9cd6efa5d2
SHA1 288f90c74a9d3b445356f5b537c9a5758357fc67
SHA256 644d054862bd99c8e70d7fb54b32654b41c96cefee5dd74198ae1ee65ce3079b
SHA512 4b8a01d1199ab052cc3274a8da9e85c44b9411b4be6152ddcf869f648847fe9a9dac341a95f1fed885e0e6bbf135a6d38c424f9101e536ff7e9631f3033574dc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 aea0cd75de23a39d22313f94ebb15b21
SHA1 c3fe553542f6d3fc46c263f082ea7f3e74a0c555
SHA256 40b521450d1bf181ef631d88be521bd6c927610130c2285d35bffd223f130c60
SHA512 d612e2592ac848768928356f06672a3c5b5f9d75ad275db03b22589a31bf34f17519e06252ffdead5168d868ae021849685f24f1629fc84f5c33c40a847b2e75

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 2924253d1a41c4129ad8c35e9cdb7d80
SHA1 4d4604d707ec7f1f28fbadbd3b68f436442d845a
SHA256 56651b38b26e645ba370fd5d445b9692ecb90f946531614de82cb563382e9694
SHA512 472bd6fb446151997ae037304e3476be8197b8f1894bea199b553ad23e84dcbf9d9b46120ceedded045c6673a86df7740144383ef96b9e6ffafa83161b228d7d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 05b8b0b74b5887fd4f800399720fa7e0
SHA1 56134694de75761110ec7dd7c39da05de7fe38db
SHA256 370cf82bce0a068525b26fa1e7f37eba1fb9b316559d26248694112164c8c9bb
SHA512 c521b087222ab07b82f680b7dbc94ce6745e96c2e38f402c88d2d3017f8fcd462f91f04b45f4ef16b7dd5f1ee96d2b992a233d744e38423ae4ab31963ce8d7a4

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 eb93cb0eb2e8cf45ce2dee14709dce8b
SHA1 0889139c8b0a3c9e9f12cc535c915097f5530cb4
SHA256 e79ed539e474c79def2c9a550d2295c6b84f3621ffc208488be0c5e1a7b94e20
SHA512 c28786fec250b225ae31740e40201652b84481470c8dac0e7f6a841c20f1c3c3b2d0661edd98a899655d7c88e4bc7646e08fc22f5c96898de1661cc2a3c01356

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 2e4bc07fcc1bb56f4fe9f67ba669cb25
SHA1 1fde7efb0460dd0cbf65d8a579812322417fe169
SHA256 dff63b0a3f138db5c437837c28cebe114feb4345788f42785bad1b5a13810a8e
SHA512 7f44630d389bcb4291ee9f61326dc0ff4e313ce12352fe405ccc7ab2a16a35d08fa0240f6e870496bea42e0d30766fe5f2a2d522c62592440ed7e92cc7c9f196

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 7599d7021409531dc57d2bb9b1f9faba
SHA1 50ee3b878a8bf7dad8445df78797b837b3e32d41
SHA256 d354fe18d083017bfe03112817ad80cb8246176a21af9ac51aef04679ac30675
SHA512 7dba324ac81d885e94210858c4c4c48933dac143f317d6dcbb057895f3f13f08fd814bda2be236ad432ba026a110c46bd1d29f4cc96f09ec8a37b45b6cef5da4

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 06844ecbe21a0aca610d0a532a13e135
SHA1 b27eac8d4d595b1f4afe19dd6573fdc1b62f9d20
SHA256 50df6956bdf24f0c98c7b81ba7a46f17334a028b0f313d9d48ac06679b67b8fc
SHA512 59afea0417c5f0f58103de1f22ec7bfaaf723be25c4fa7fc024e6be7e04d30b0c4ebf000a4ebd8727764efef9e68749531cd73c6f1ed5fadedbfde008a96cec1

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 a547c1759fcd7cb62339c088685fa36c
SHA1 3038c0e15643e23ba1516424632cbe6bed4fb037
SHA256 786fb344024113a21ada2c37f60ffdb93ea063701ca5fda028f3223a90409951
SHA512 727f73043aabf8ebb016db5d71a875aede8def3b75b0a3714d3e11582e80d4986a06affc59853b80ecf30373664261924005b9ace8d4967cdd8f62c2e00ad4d0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 bd7138107cbef325920e24dd0ba52a4f
SHA1 ccbd670ed3b33626a400937fadb482cfa7aeb192
SHA256 ac8862317850d047cd7beb94c58618e8c72fa75b277a1c44cbf4d32ff42c802c
SHA512 8dc13f203596a51c820667cc82cff29396c1cf24a4eef32199e54a3d1ade31ad6001b3339268450d749b7188a712f7e79bf8e10604c47e6a67285c91ad5b0af2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 a2e81e583a734cd4c2e92f1a68b9d197
SHA1 71088dd855998e48bda20fac5fe4eda23c77f7d1
SHA256 04725f68559dc0df675e393af870670b6b926c82888feba3346c8a6a8541a983
SHA512 33f40b7e3cd6560b354e8462f615bf641115281b13342285c09d33dccabd555ff2f56b4c03abc6e6f92e8359c6a3c079fde2857b1f0ef3c38315d96f39845348

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 1b7ca8022f62f5be449c997f492a93dc
SHA1 b3ae6de63202338af28281b85a5243ead57b2f9d
SHA256 6fb87539edfa2bdd6e0ed6f38439bc651fb2315232fe0c06aeb68933548b66cd
SHA512 d0d776835a406c79c2ca14fa57dc29c65fdeb855a13afb8c3c257bc0fc64d547d3a22e870899f44ffe590814c6e1095c4841b7c624a43074492c0830294b872e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 88bbbf722f46c72c1bbb2ca83fae02e8
SHA1 36181027e4b8bce80c5d377f7297cb7498be4f67
SHA256 e9959fff99d2d3a4424be54da0a4ea55086a64b5e80658011bd881804ae61c28
SHA512 0c190f976304e1fdc36860b023e6a83c3d95b13a62b1c15695b384c8294e6025ea43c53fff5d7b018940f24db9fe717e24a7e503ac8735382c018f870f479846

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 09a7d3ce2521b374a653d2d35e01a527
SHA1 a09329268e958b1b094200f9d8bdd80fc64d8ce0
SHA256 179bb65b000579e0a02f01087d43a20780ef802208714ec37b6495ed28db7166
SHA512 4c7f72ba451acf5935cc1b8b9b1ef7f570e7bcb6503e8f556d5249feb2e44baba2f354d5d2f4c3a8d31c35b21464b9567e798f0e33da862597b3e730248b46f6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 6d4c6daa77eed1314ded132b2ed6ebce
SHA1 435120ba84067ed522cfc3a069da3dfb823dce2a
SHA256 2826aa03c6d8385de2463575896095aaebda299cccc4e7340537a76420731685
SHA512 0a1768fb7db63b8fca67339e36d9ff6298038391ac490e13e149fce10eb13e5019b98cab8594ed300605309725f7fd2ba602074c3873798b7572c8b2fecc00c0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 03c901a726360a99274192e5c4f36609
SHA1 e3fb6cb7df62038fa50c76d77a90e7a5e07b9ba4
SHA256 92795e3ad821b080068660006745ede0e9fb14fad5efb25b43f85b6303bad26c
SHA512 69954ec9a821aa4520c6c7d89bfe7758c5f48b623c288ce25d288df5ea8c30e5487665f39b4bdcf75ca9150a3bbb119a8aa409cf14c366493ff3973295b5e8d0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 94e76813d7a0fbbba6a62e7393208186
SHA1 450a210648870bfb770687907b1484accc4352b2
SHA256 fcc320541e103c31704cd458d4415178ff0708cd82ded2134a532fe50ca7accc
SHA512 41e0f84e0b6b18e22b8f92f0001f7e5b846a0e6295d9e52e0b5e53e376bf414b425c866f99906a7ebed4e834856f0caca2e3bceb72f0fe3062a409ac5d60e68f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 3a6a38fc24297e8695b3e3d18becf1f5
SHA1 47b2336b96d9a5a483069a46dfa19ab8aac0978e
SHA256 c3d5576006f49a69e9eaca768bce78ca48c2ae979f005425dde3f9bea6e515e3
SHA512 c3c30b6a84642c80ab700572c9724cb431755eaf0c9bd090a838de12fe80027e6f84de34c2f1358d056e2778baa65ca615f8965401477b236d06da50af3792f5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 bb19949792e98ecf79808e46afbde9eb
SHA1 b41cdc7b866b4b67253509554ee02d369953d079
SHA256 f2b96beb14c4ce4a3ca0565893207a5c5db866669e5ebc067c084946e7662bef
SHA512 ee9f1ec134ef25dd384d70bdb5c8c7a97d126a6f6a086b510f2f80a6f16e001e8bc0804e263019fb6e2ef1a20d37bc5bee104bc29c4c5f84f47b271edbb36482

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 92235c369ac9884d6bdbde1eddf77e6b
SHA1 9e37c9302554a5962685d689b8b321b0a59a2415
SHA256 4c2816a2bb4a68bf522163da8458efec8bc971bfbf0a410b864f40948eb626ed
SHA512 536fd32dbaa6dac14d2ecd0133e7bf48794cd833f45f5a10fbf34ce0a20469fed8dc037dcc91aa25b447af3044132942c33182ace2654164e07ef5ee260da0ad

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 ddd259ae61175a6a3ac81fe5c14c57aa
SHA1 a696549adcdbbfc31ada01bbb64d4ccfc132793d
SHA256 c078bc674365473b080cb30396cfbc0860caf7b060b4ed0e74366e1bce210af1
SHA512 560cc1a09fc128a61c659fb194223c6ac7fc56cde41bb7401cb48a865dcbe40b161a804f2f36e460105fd5c2a573f0d443553bb2d266e573e4a9ecd21e1b47fd

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 e0e55a542afb73028a2e110de0f37dc5
SHA1 93f42bbc2cac9671541b5bd7ae59e59883da90da
SHA256 f86c12ed54d3a428d98ec44199a77925e0fdcfe106689b6513b69bec24a221fe
SHA512 e4add0401f47fb38b1491d69b858aa71bf262575016e1f705903813dcf1d83f5488dde7cdc4336d6d3639d4156552bf9f5e5a527e74507090976526282145a03

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 29e1db88a0d5f793c32324128c0a1299
SHA1 3fa89e5937314d22bcd6ac9da415d720204790b8
SHA256 b88ec0101239003abd4e36bcfada09b1ef72e501497cddc3029b3621cdf51127
SHA512 ecd6e2ebc967a4dda88f647c628a36dbf76ebcce17ab78e9033676d8c65bd631c114d6841f2950f5f77f473e27c65748cf834a5bf5a982581ef03cf4bb8101bb

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 ec2fb540f57354c566d4f4a6582915b1
SHA1 2184e9efb5f1823f26df6a4b91bfc3233ed5af0c
SHA256 473e608983d1e3327eb4c70c2eb7ba54ac9128277a8541f20234768a9a0e8b96
SHA512 6a32d4264471a3c4071a8e6ba1c19d0abf383ac6b5827505263c6d6ab0d1a512bb3563fc2c3cba6a6c8e8424cd1e189af153e31fa23b35413459c343dd1dbe55

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 223077f93d279036882d1dfd12e85998
SHA1 915cfc737fbb05c9fc664379a110d1ba330fd0a5
SHA256 d2007b6cd3fabb84bafd64f47b338e5a756df201cfb92489271a3925948b5284
SHA512 3c2e073fd35e56d8130d10e2bd7044ed4e3fab3d44b3a42909580dae76f9571a3b41d73945e672b2a1091409a375b8a39684b3afebfe14f29d156d368fba3a50

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 9ef934ac3d04e11b9575e986e41885da
SHA1 e186a8f3c818766322590132974670e06eb3e748
SHA256 b361413763539c1760f9fa1f9d776954eea2995fcb4db764309c2380fb19fbc6
SHA512 ec51ef6804efff0c27e70cf24171238930728646ebc077e4b214335770d0f3259e04b4e0f252359514c24662d07b58219484803615647ab529cc3d6cd092be63

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.tmp

MD5 ac5f933a8cd3734f9795a492f032764d
SHA1 da90cf9532ff3e5016fc03aa81be690edd9c701e
SHA256 0371bbe152115dee35f1e80c2a73ab0edc1517ec1d9eadf89034b2a7cafec084
SHA512 e3d677479300e0d943931db01b5295d9795fcbea849cb47329ff3780948fc3fd479d3bc81c8246930fbc2a6dacef420c0f742090d0b49fc315fc91e584de765a

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 11c2a559de51a7c7d8d15d12cc8090b8
SHA1 b888cf2b16bacd74f61cf231f16df26420e07541
SHA256 316400b041db36d2676faacee5bf2a7c261e8d02379257e29d9355f8d83e87c8
SHA512 6c51f20d80b50b695ef923d0f4c117361f8f4987b95c10057089ee1123f74a1077b36ffd1d9067bba97e1158b405d11a957fd2e7394c869861236c35ff65840c

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.tmp

MD5 d0f27aadaa1caa1bef7d371f4414d2e4
SHA1 c142c9389a742fec8b288707aee44d78060ba133
SHA256 78bf1f8f7856641c687a85fb9d949e7700c69bcf745f2d21ccdd715751aef5b5
SHA512 bd5c09171779680ce15de9937cf2bef099bc876b8e4f5516a68bef58ca28126ae51383230c104751961123653e5f0bad2b104a8e5911878c767a06c2cc932cd2

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 91246a597f32bf7474897d14df0cb785
SHA1 7da12e7480e82a97bd24f73bd829544011443101
SHA256 0fe0c41ae5c4cb8b81806d7cec7a4fa99eb9d5aba7f8eb222f09c48ceb5923fc
SHA512 584296ede89bb075225e9fee4364313a5301a70b7981ab7739b9e77f9e349faa1073d27c62f3f58cf25a389689cdc2868b6ba96293c82db5b1740b2ed23e544b

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.tmp

MD5 ed1e7e35c4f43acf86901233c01e1173
SHA1 0596b4ab3d558ba19fa093d7920ebdbec3a4fe85
SHA256 866f2b4abe0a60bbd8ba9358171c9c4c9a44939468a0391e55c6db9dd2e4cf6b
SHA512 43783cac3bdbf09c7851b1e7e931949adf8fb4664b56a64d640fe64c95e8ee733bf19b41afeab278c54aa7c3c181d8f34daa73a08e3b667dd24163fcb8486997

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e0f2d51eba6ab7bee5498ff348471465
SHA1 65d951148364d02075d6aa6b6201a02420e0e058
SHA256 6ee1dc1fd0bdcb185923a5976a5093823c05f192a6d0faa06a4014b20d4f0f32
SHA512 82d8f7d42e82e47607e789eadfb301bb461b9ac010b3eb147a06dc50719c1e6a378bb8e7b26a178a62bfd5723dc9ab40b39102c533aa382f5d7505899513c149

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:54

Reported

2024-06-12 12:56

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe"

Signatures

Renames multiple (5148) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\110.0.5481.104.manifest.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\gu.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3bfa3d83c3f20dc4f54fc325832f3020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe

"_Desktop.ini.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_Desktop.ini.exe

MD5 1aca7c9ea2aa00d865c74d418cd8713c
SHA1 15f75e30447bfc9b0928c91c328e90b817404b6a
SHA256 8c0427c5c977e6f377b92f8b7ae73f0b3e70eb0b21bd17aca6f5db8164cbfa28
SHA512 c5c62d0f13db73bef7e9a650aef9ac9b5bcb4cbaa58bb8d15b04ad8563d1ea6c9881ef06e31b72f39dc3e85207721b7862f4eb8cdb4aaa53c2c14a39d79b091c

C:\Windows\SysWOW64\Zombie.exe

MD5 a27b842097da8fe8d4237a6bc88cde16
SHA1 e086d437d569538638b494d03d10f37fb4bc96f8
SHA256 17fe786f798fb1a7502748d16988136fdec18f622d908379cd1f7366e7261724
SHA512 03341ec801b4ef229ce6c9ee650f87cc8ba77ae1f2d7c51dd406fdfe4984a1ca56bfbb16f21868e8a67a10420d5e1f7dd7687398b1581962ceb23f7174f87a22

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 2bf39b61cd2cc9be04c3f480458cc95f
SHA1 f62393cb7c9ab1fff0f5129dee0b4037d2083b1c
SHA256 d44303428d6c0f07da3d291782d4328e2ad67834cd5c54d80debd4fc5424c543
SHA512 550680d1451a262e2ad56868ded0c7e8ff4922e1d6bce8e933cd613600798d02dcb9ddf15c2fe084f546efcb726f2678469131272350e6e35df7b72550551905

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 f15e921a53909cd58de553aef8fcc15c
SHA1 9097d24cba8f642aa5ff2fbb18158814e22ba760
SHA256 f1f0cca6defa9de27e0308b3bab57b26123412244ebacccf5695dbbc84f7a132
SHA512 0bfc478a0364a31846625a439eb4955938fb266a3b20045153d4fa707e8e9f18ed769eeb04ca45bc6f3db6fb39d6391043cb0dddd39d9e8de36b891ce49610e1

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 9cb9517095f070079ef40a4c129eae4a
SHA1 7db28471b679e799897c37f0d54b9e068c47ec15
SHA256 fa3e836446c59df0b43b2e708dd19092ae2babda0b2257f6bfde35b9de8f0874
SHA512 f2744114500b43b980d3a72e4ff6dae0da167a6eef70e57933897736315c074612aa8f98d7a6b67b8c6462f362d2e1c19a2e204f1986bce9f40fe23a1d90ad23

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 5740d7d45af281c1370d3583c00b9bad
SHA1 1b88b860e39bb331dc0a005e1ba54a2712fe19bc
SHA256 1d871c2c85bc5cd381d6a5f45b79f0c37359c651ef2844394260d40b7f5da57d
SHA512 7123ad8049d9d5822246cc1a440d96895dcfb3764311d20cbefebf2656d5b5ccf5d6502db20be2e33afc264487de302ef6386f12d09ef2dec7074da4dad3821a

C:\Program Files\7-Zip\7z.exe

MD5 0898a9fb8045c9391715aa5f9146d8b8
SHA1 af1b7e1ac891894ee06e78351804bee19b24990e
SHA256 8f7219ba23d728aea968248cb02786aefd6de93d598a554a313580c4e298edbd
SHA512 96b097f501ee3b425884595d6c1cd8b150c2b42a3035a949203295df4a2c714d579af55446255cb8a814f55917a5cef22ad129c773ab212b8d546080627d114a

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 d7f692cf5da8360f02f072101d753d50
SHA1 c1766cd973f8a7578503f11dae915e2683c5aa96
SHA256 09f3244c8c5578e41e6fafc5b20422144ee50acf183f9b9a7055f8571e74c3fe
SHA512 a2fcdea3fed6a0070b49bf73f9d5c31f22c3866effa13cd90318101b0497f3320ab830df68c91bcda2c33eceab9a7559d3e6e58db119ff77fca5d5b789203e8d

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 631fed2c2b3f7d22cdabd3702830891c
SHA1 bc6153f3187bf70f44c8134b614ef2816226549a
SHA256 a0d50ffe6a5dd8876c2b1ec29481dce294a46260cae70a6e0dbb15f494dda8c1
SHA512 316f5fff98040bee787adf51cf5a61415efc5f0440ba45725c6f8871aac7fbc87aa57a5c6550a34105dea44ef9bd854ba9a3f04b522fb163b79601cb636b00c8

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 c8fced7f225edc86660b42762df7104a
SHA1 7d8092481478bbdd2243c96a52c513750d37c523
SHA256 e9c0e50a36eaea0a23c87db34782e8dbf55e71d0f258c06e3e65105618e46e12
SHA512 51ba33de51253a215f95362a34d6e481adce71915a0979049f3c026fa43bc48977878d74c5828b2df6e145f74260b509435bc7fe7bcdd52f4730d5f4b379e3a2

C:\Program Files\7-Zip\descript.ion.tmp

MD5 9a3f16bf70e791d7f469f66d066b876e
SHA1 fa9c66b2ad169015c5d96748fe1132b77fe40c95
SHA256 34252b535a4d80c9b0f124577008c2e38addbeab7e9f1b90390228554d804a0c
SHA512 3b6f2d6eeab96ec52fa036db1dba2f9478aeb4fdd61bd5eb5c6c0bf0b4c1a33c800ac17bc1c55d9f8ed8e0bea3ec3f0308a0b2d75b652384fc3dab7709980350

C:\Program Files\7-Zip\History.txt.tmp

MD5 31351695d730a1d41f6b05624dca0ade
SHA1 59cf4ed251c119599f8b6a7e62836774e0ddf734
SHA256 ce704b8366f5a0b9043698c8c865b5805f1d4cc8c7689bc78dc94c54047c2569
SHA512 d6aa9e29968d69ee6cd10e5b3305e6732c5728f4d93370c3e4b6b28d77901243ab4d97ba301816a4726c956c36d045f86dd964e3c0e04f840e3607d4c07fdd33

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 64d03b6a01ae2fa6e416b2ecb3205f46
SHA1 9a53ce604f7ca5aee52ca7892d8c4d50fd212b1b
SHA256 8c1f61e228ba573945e36200d22d655ab91ba8b27d83ac8bb592567e889183d2
SHA512 03996426d6caae2431941d248b2e8dbcbdc4ffadc1a0e66e4ce66531f41156d75a528d20e9eb2aa9e33e3ebb906f3cede82b40504b5fd79f778a56c8d207c791

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 22fc35bc0180c5d649066098bd11333d
SHA1 5fd29f587b5f73a43365ab74b948df850d33dad7
SHA256 5dc963bcc20f8b3d4d0428d5284a22e478bbe871d782d54e5b3e37c7ae6adef9
SHA512 c60cea8c8e67246ecda8e75e88bd3b9794931b3ce44508d0081ae55fcd7207064be7dad27028c78ce9bf4422be8172ac8e7d5c9a6d8270271e387f0944b12539

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 653ee127d6b109ac3eaaf5c2895efc29
SHA1 a25da97bbe0663c7e03f5af19cb4c2137ee59cbd
SHA256 f693926ab9c3d642582be4fe761d89695ad60bf1c801ba5afd5ab66f7f223f8d
SHA512 d3ff8aa1f7952c7829f5a1be9dd498e87b14f855f6159a40101fbff18f13c484a0c815f6afbffd28919fa4e8a942a2137634b0ff51219c6dabfe9a0f08c00b5f

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 177b8492673b8f03be7237c7dc83d10e
SHA1 d0121eb7be9727f96ca2d63d02e8378a0091735a
SHA256 65ba23cedfadc9c09c6cc2b4fd3f3266e86ed1560f1e457b10be884c38de3e0d
SHA512 0b0c36e43fec388c9633d3f740c2f6614d31b17b9a611fc0895c4d9fa6c30560df3e7ec0a8dc47697058705f104675f19a32ef97eeb7f8eb64dfb98d6365cd05

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 9baa51a8fec4f8b83e6915167f72bf54
SHA1 37c40c6ecdd14f5e59e5d6d2a2ba85f3320757e9
SHA256 9d5250527538f9176fcc2766cdbe3f4c221f5afe5e6505fd881c93e3bfb1067a
SHA512 212e06bef91c16841158001a1e72dd635e031d7e444ec1b0888631778a971a1d70ea41aa70a01284ed03f052412ca15a56918242d8959a3c645b07649adbb6d1

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 b73bfe87f2b4031df9d0a34bbf11fc07
SHA1 437bb6af080014950ce3fae8931f9fb7530a00cd
SHA256 98de47c6df933306becea2ec116ddc0086f8534a5974e39470e284e241bf818e
SHA512 137ff6c63a1e32137c55e7850d5e88b9b4743bdac58f9860b2f682f7e59be689d1fc77bc6072d431ec035324891c05820ab954881f4e609c2f0e510a0ff5791e

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 ec74150022fd25bfabb77a1e718246ff
SHA1 520bc071e4d98318456b162bb8088c682650e570
SHA256 98ec98dfd87f7be0d611209a05c5c1f0ec2031bfb86cd2fd349c192d1c61b57e
SHA512 38b669f74e4ee0d9105b25521b70c51cc9e30e310a08b33ab6a445631f576f088714a274980a975fd1a31ec259f1e4a0bdf4cc783379cdf92332d0d93d8a2fc3

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 aea6f1d7d3d238db9b61b81a0f4247d7
SHA1 09a9a11e485339a273f15c7b9ca32a4c031be30f
SHA256 dce232cebfdf14986745c83160a88e1278266c86c5345aff4d984ba0f0aa9a08
SHA512 5600fa3872f3f775795c10d3abd8f4cc45873f6b6fbed857c309ecb39ead968632d838a59e60297a7a4482467f04a2dc8ab2834a2741721eb0b176cbb6da578b

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 cc6986c134f872066492e2ae8223a7bb
SHA1 cfa318827beadde6fc386bbea22c1c15741ed6f9
SHA256 bee605980b2a2b4175217755a0afa97f8ae784cf14677ca25bbf916a9c647ac9
SHA512 b38c570abdd0440c76458a2a302d44d35cd3257f8f9eb10a50ddd1d2a890c6091d21500bbfc50c8cd7c8d1bda0cc00c74dbc3b44114760cea47717baa1d21f2a

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 651afa9c83fb04468ea8b46bd942702a
SHA1 a396284ce5cd76433b5670b96e4db3d3c56c9098
SHA256 2d462026dd85945ebeae2b5bd2c06c25146a5898ee1e12b2711a77a7cbfc3bd7
SHA512 cfbc20740667332248e4107a8fa7d945929d18bb21648c4919d9f561d153f24c227c2644456cfc8d38fcd52e616d5351be4b601750097852c5eb6e86bbcad5bd

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 78c527a0b4313f20e27cb5ac01cf56fa
SHA1 0a9dbaead4ed2e66f801cbcb3691baf4e910be2f
SHA256 dc05336b52b04eb255d7eb80523767139ed40469c065ecab884947421672feeb
SHA512 d49ee1247443be88e82152867417c05d5265c09fd7bee345af73af310e463c33bedf33f1307f0c3bfbb6c74522db99cf4ab439406711eeccdd55510df7abde4c

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 f9ac873990a9dbf1225c7d82a80a0b2b
SHA1 a38a19c8225949777b5f4e674e0c13f0f72f46b4
SHA256 219aa1451c43c10af95202cc9e118dc01eb2d2ae83ca1e5885c8f6071181a6c2
SHA512 9d22533c0fc50c6d7e730ba7d3f3a87b5f1fc6738ad32e138cccf615df969b894ef2af2c674fbb21f2fcafefc883a8bfab7b5cf70edcdc418a12a046aa59e3f3

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 8def4d6a3fa2285e7d434dcd673170e6
SHA1 5c548cb30fedf37f9a8d4be2e94347ffaee10a5c
SHA256 e07170e17ed32183036ce270467a99b4888a5845f5579f7308e2340d33c8adf8
SHA512 26c9aae2d97436a2eec8134f8e344d1159db029beea44436b15429914b7a51e5f1e2015590fc9321ac642d36425d230fcae41046eb9b54cf5b2ad6a9f7f2eaf9

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 2a7081aba356ae88c5dbc6d912edbaa4
SHA1 677f13c59431fd57347dfdc1d9bbfee43699d041
SHA256 55d47e8d73f3a48bfc5c9202c3ceac9d2501425a2f9a57df0b210236cbbc1266
SHA512 a4fb76f172a6668ab84e2899ffe22b485d64af1ead5a441c10054e1778e622be7940c8acf0be8182bdb4592142fd01c0ec7bec6ab4afe8f93cdd8070ff33f826

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 901897824392bfd1c5e1ae2f0db49ef3
SHA1 14bcd8c385fb3a3f3ce73aab1a7843ed9b08e8d6
SHA256 0469573f5bc3f778711c12e231f921a2f1a34265bc346a5cf9575c22bf09564e
SHA512 f1ffb87f4d6c43e14082fb68a22177b773b20fb0685ca074f890650b4488b42b0adbae427e361df3acdcd8ffb769a1ca9bdcd23b81944dee8f0a9db20bd8dec0

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 5b916e33110a28c588bdc79403a6fcf6
SHA1 8efa35dd7f8881e58ecd6a3209654b702baef87f
SHA256 c07f1c0dcc1d014c92578ec789bedf20d13d0da654ec8069a0c3bc4ee93e4402
SHA512 a34ecd21150e2ef6c88ceb81aea208fa0d1310d07c5ed0885a13cebe36c02d1fb115e637ef35b36091cc3849671b9091cbbf607f9602212a0a70ecf53d24ffc3

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 69b4eebfddcdb8c2e85e40c5416bca69
SHA1 25a03bde66874fd5d9e7c6d45dfb44be1df4a230
SHA256 c0738fb013820b9c45befd5e2346cf35157cdbb4ff512f512d73ec9a711e7315
SHA512 bcfc6bc85dbd348d639d26f69732486da7faf888678f3baed697b05a8a8a26fcf794100a5f495cce40ad55a49742b317e631c1ff5a466e226b77ce61d72a0a57

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 83da7d0db94d1e7ed8b093bcc5270183
SHA1 670f1df19e14549a87fbdca18af9ea6d2906fb70
SHA256 a029fb1fe586c40b3e6d571055c6dc9af5102195f9456a2a1cf50f83937d849d
SHA512 d6a2e6a78fce4e69e51d8fbb6335523c00e807850cfab0e88653a2dd8559e9b09527c2cdc9329bf18aad542e3615e5ccf36c3f905d0f576b1b6c7ddd38b07aa9

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 f542de822fd6eaaea4184c6cc9695c35
SHA1 9ddb8bb658b6e79c8579860ecc23a0c1297ca838
SHA256 2fef5f82cc1bc3ce6c5ab2ae8c5a2c8b3851e81c1a812bd0a0d67da2c45a2cf4
SHA512 0030b7cabe586149dccc54f8e9528545d1bf2bc42fa746ef1f55c1b5de37e4ea3de2f9623bd8c5013b245810e7fa95e3ae283ee5d1bdc8004b59d8a17874a88d

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 97f5d860ceef05d6acfed735de341cae
SHA1 e18902474bba036900f159a54c181b46fa6aeb60
SHA256 a65a90cd4356b639f433bbb1ef49b26bc5556933e6429d518f2fc7a1f4f80ec9
SHA512 04275f75e4595aa550f2f415fe2c7ecc5d45db0cc1c5d6ce4aa5d68f53690bb7f157fac3db1b44de8c0c65ce334483dd959f8f40cdc790d76f5821abc4ea9186

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 333c9697a47fba41b5b59c227b016f36
SHA1 194e479e615956621eb48afcbf761da1ba142b21
SHA256 f7c184afed8597a3d2826ac2eb53efd21bf67b63dd88bb36e27154bdd433dc8f
SHA512 67dcb83f8c728a9c52485ba7cf40bed3e38951248262ec77072fcbb15446b98c1688d6952ce174ab94ed43f84996663c03964645f6c843c6efb9959589aef5e0

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 03aa344b20c857fcd627bf187611bea9
SHA1 ad931aa7e217fba0df29d5ef2fba7a846a7d629d
SHA256 8e671c1c98922292761376f756cdcc95dc28ff2a632394a61c34006a2a4164dd
SHA512 152371452ad4f90fb5c5bbbe1eafbcca999bc3344f9ce43d956ab415e11818fb39e18792995b8f0fa837b80a0c60275ef2146f48bef888734053ca9f87d8a968

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 daeae39676a43e98f938f12043c08a80
SHA1 6361aab353d1db00ac80aeff5bb6bbf6310388aa
SHA256 a68fc568dd6bdc521a5e7bec1291a04a8007501565542efdc5fdf5ed4fad0a6f
SHA512 5f35a10e7ac55e4c194ff4b9b394dca1df223cec49e416f355f7611cfde96255a8fce51e9b516456f41f7b9cf1a233e0f819a07ecc272b1f816c20ba0bf1d87e

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 b55fa96fcc354a4515dc22ec59efbc7e
SHA1 7686f9098a1cdbe40c8274f7ed023a2ae2be1c16
SHA256 9d8a74422aaaed5fa8bc06205c05933fa23776dcb0034ece53539c7d827a4334
SHA512 5d11104f835beb01a46f7210c889d37d18501d8b66a93e48cfceee9c67a75248646c778597f20e31728397b3ee46cca4f10aa6ac0c32da16c73c0cdedff3b3d3

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 84b215fbe435da8ce0d65b74a3188399
SHA1 1ab1008767c2715491670a0159cd170103638ea6
SHA256 6a221e82aaca74a7aaa911eab4ac1167f2b1c566aa1e2806c7c0ef241644a9a9
SHA512 3ac6726458920a1591e129365c9bfc4d9eb98321ed1b63841fbc9ee7634129cbc0c95ce06ebc8292e221e26689fd14ff4d754503023e9f1f327eab274f708e17

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 db454b5b2fcf7623eac00a6ae23abbc8
SHA1 4b26dc0f88e51bebf4762b43f850527d7eaebe8f
SHA256 f1775d69a9df79184f2facd262aecb15b5f0c3b801be36f34fbbee9373059afb
SHA512 a86b7669ce3d456efea91d3a592d5d49ba697b8f34844f91b8ba0f6baca9478c2ecc548b4cb4f9edd3d83012a247c09bbaacd273a425f8267ae513093fb58b48

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 ae2cdcf81c62b0772546cc9cafda862b
SHA1 e797948a9dd0825fd39f3599f68106c5479ee426
SHA256 52ef551c536e546e4b3d62ae229af4e13776110700e37d442a6718761e898e96
SHA512 65f6224c3106fbe58b3313e0492bfcff8cd204ac9b604584f79091527eac9d1b9b645c7898414baa9478338a0f02950e7bf16149736250f617812dc542e072ad

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 f0a31b4fa807235c7560ececeb817336
SHA1 5f819ebe0b2c25e8d5c71ea31675f939568f7c8d
SHA256 d9517e546d87f398d2aeda6bedcaaccc13d5fc123a00117eadf98057e8863348
SHA512 40af5d607ebfa8ac3623d2ec1b58ac5449e9d1c4f2319bc8366252b34ba22c4667b04c0ee80aceb67cd4979c09007344e4555e736e9ef6f7c43b6d8ad603b639

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 304469e0e49f0afe8eb28f5389c45131
SHA1 8b1f317762bb128cabbd592ee840a363d7923c54
SHA256 4c5106b7befb5dcfc5c1b3281daabb8c766750563696d87c258fc9f29f30e603
SHA512 07878e3c07f56f9f35700e0681b651d147258c38f0c212cd93b649ae939724a25c830a0f2334b2b12dcced843b39dac1c60aa7460c156cc0fd5059d961d2fc96

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 78da18bd57ed7510b65d18b8332b3c47
SHA1 b9410d715a9f998acd7b689528cf61d71b4f53a3
SHA256 a313ace57cafc9b7b4001805610d6c43985bc007efea076d5c682cb6e96cfa35
SHA512 049a305550fcf0f9bbabe3bf370491d8621fff46f990343e7eb5a53577b04ad9073369a7cd1f85cff8365043d0c44bf282de24bef6956ef4ab2c4265cf058f1b

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 b44919c3c5c3dcd3c6bf981959180f6d
SHA1 8a55fe303893864f0fcf5ca5552836c566973760
SHA256 5b6d52d2f2553661f324216257b35bd47025ed348f5e31a0f27bfaade9f17cad
SHA512 b64bb8a12c85fea87c8bd03d592ceed1d1e03ae4b8cc1126486f6bb081b8ea321f5664e136b7942b89f7652e335f6dd72dd8781192cdcfcca1ad49ca456ade9c

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 c4c551233a9fc3d82e54a63e33def809
SHA1 e0a6dd918df4ea58688adad449cd6f14804d756c
SHA256 a2687202f5dc17a663e4f3e83ca5a8def28b29e36fd2bea2dd5457777ed3b4ee
SHA512 1a2ab77b18385b00aa1e0c633203c25774f8731f61ab8b74dcff50fd56c47f33a95e6f8bc413912dd81fc1b583beef9b435b89a4b9fb9cf2863fb74eefbd04c7

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 1f0c93d975dcaba95c33733cab1a7d17
SHA1 2d79ac9569c11a2664be7728c63e7291752af671
SHA256 69dbd796aad784330ccd6d04b6292af11ff0a31514f903b5fede2e1656a36a02
SHA512 321580f2f63e3d7ca72fe63be71919fd939feda7818736763f3c7ec853e2b4646248f9f7820f2dc6763b90effcb026db0058affd532ec46dda61d297c761ff97

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 03803687099f77f92914349df273bf19
SHA1 0fe25b8f46c6c8a607cf5bb33e5128fc16d0eee7
SHA256 9720522375a08707b1586e3c23932d31770a63ea565a13ce18b7c4c9565a4c4a
SHA512 ff227cd4426f01140b3b5a842cd341d9e468a8fa63ff9c2ffd7c77aeacd38c32dbf0238ca94935d07171553fe695bd406de9628efbf7522c67e330428f4e9235

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 f451f622712d51409727ab83b092bf29
SHA1 40ca548897500ab96c23456cfbd263fb62b66819
SHA256 a90337ff2bc1629afd052b0127fd4a8acd04838d98729e9c485ae20f4f10f8c1
SHA512 45eafbcb2dee13f1e3b2987bf2e605abb3887218e74b4c97f26bf76954b7c766cf9bce79f087709493e466d95141ed770dad0358aa8de509c643051363516057

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 15fe65d480d6b49e65fc8cc5150ca1c5
SHA1 e0a38eecb3611df73d52ccf8b601762db75525d6
SHA256 e896b96bd2120244dfad5a7e6968d31dd6336088f649b3c2272a8c431d669625
SHA512 e9509883b1ef5f1b8919d2a61f59743a121d6e04071abecef7103bc5e2d76928076fa2fd81028e1b6bc07a3f54e449d71e14e7846b06245b28561462f7f32cb1

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 149cd336d84f7c98d9dc5a8c902090c1
SHA1 b46a00b0aaf99a21fe38e24952c404b2e4feac11
SHA256 ef1dfc978b4bb153afea47e28b2a531dfd157be26757c20675ba1be5f67f815e
SHA512 ee33bc79263b4a8bdbd35317278fbc92b37498b119a5e6490ec29889d0c29fcbc4fc75cc23968a1b58101990472f9c4b0c814053631b16b26d17a61411457862

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 ceb9ff5dcdee7d405c0927e6c48df046
SHA1 8444e84850d8a13b44e4086931bebb0ac4cafb48
SHA256 666848d260de5e5949ebd1da1428e08ade2a9f94162bfa8e56347311fade1dc5
SHA512 03af2632e57eddbcf77234f4cee356c30d122acfb084f5f473260fb28a004fe2bbe1adda08c996718af770bcdcd8d3d682cad3e4654f85fe3b0f174765fca74a

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 0d12d23f43410a4c6ad30cef32057401
SHA1 b24bab4dc6036520b1d9fefd96bd9b53452c38c3
SHA256 4deaafc5cb95107714b947dc3de7d9773c843c69caf6280aff9fd51208e8ea20
SHA512 4b68f5c8f3705e64dd306b0b55b32852ef4476d16c9c589f7ffdc1e442c08f85e71d1c7de58425abedc419842ce7f46aa90b971afd078082c4c6ba753e67f598

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 198e32b65f79c46bdbdc55811717db59
SHA1 fc3e57899fd9cdbd110d68f98db2300128b3c523
SHA256 84adc659b98aa7e8980ec03e160594179760c8ef9fe402afbfcfecc338243255
SHA512 4870dc3aeb902d7ac2a301364d81bf93473e28fddb036100a7a0af314dfb0af20c04a354b7b8f5494f0cd21e46c0b19cc9a94b483c93478be92a692e78016195

C:\Program Files\7-Zip\Lang\sw.txt.tmp

MD5 2a6151d41a049e76ff0363e07a5dd323
SHA1 287e80a31332978f2eea7a499632a1a8beffddfd
SHA256 cd3661efa9263d5d21fde7fd4aff6d7283d5b28e7636ab541a729d12b2338244
SHA512 5e52e29b2bf295880ab65fa4388576380469dea09d481e7a2e837265c41dc3e01fff4a5e3f34055cb20d77868aa056ad5ca7fd4075d534bf608269ee5921fa40

C:\Program Files\7-Zip\Lang\th.txt.tmp

MD5 36915892750c5f64919d8d6c554659bc
SHA1 7adf8727aea938901ebd751d90ac2e938fe1a5df
SHA256 aa5ee42711de0a180e3a70a73e8d1f3f765bcd8f4c8db499aa914e2178b0b4b8
SHA512 178961610724e9b5035ca1e90604134b559f9a47129e453c6fa3cb15bd18bfc8e13baea36ea4500766957bab5c44437b38336d3a103d22e22b736e343bc73836

C:\Program Files\7-Zip\Lang\tk.txt.tmp

MD5 dd71bb2ba8048c6ca602531ce523c377
SHA1 49752d9ddadb980440cf3619a8bcc02a4dc9fa1f
SHA256 e586c9dcb9145aa5ef97ecfcb8691779cc3717e8c8339c67f3d2cc56dc1d6870
SHA512 d8e0443570ec5b538be0f9e3073d1766396fbb9a3815a8e91a8637ebbd9b426a686e8bf99378416005a5fa1cdcc6c7910594d9cd54a8d63bc24b37ffd126ef50

C:\Program Files\7-Zip\Lang\tr.txt.tmp

MD5 a2cde4d360ed314a6f392a3d9f717082
SHA1 75165d3f213ccf018e4fc5670d79a16ef1e8beed
SHA256 e65e9e1c5fbc28253f32a153f2fc972138072324e3db8cf14eb0a8146e210296
SHA512 3c6f57709a5f7bd727a7c96373004171cd86c93aa584497268863b33feee5b705bc7206d25323ffa3ec7638da709fb5c91cdfbe04ede721fdcc593fb818f7b2e

C:\Program Files\7-Zip\Lang\ug.txt.tmp

MD5 ff184937da81a9151f27e92ebcab0978
SHA1 6b464f6b9b6fb0d89c1d09cea9fd96938a742cb2
SHA256 85f3768201e8568809d20cc24876c34ee4a61c75d906e2e7bd740bd5b28abb1e
SHA512 1a2395871da190c3aca88f6c9d283ecc5f0866b7e4f8117a2235ce3f7487e3e24f5224be455957745997cd0b73e92f6125d9c53a5b9c70da190001d494687fea

C:\Program Files\7-Zip\Lang\uk.txt.tmp

MD5 54143c062772543ce7c124c04fcd80ae
SHA1 d7b63713135122349d2cf46b216e55b65916261b
SHA256 16b2fae7bb23a5e4a27872069f1b868679c98e4ca61d18d108d40b9c6c09de85
SHA512 b73c9c72691e21a886d1050e9e18c957709f45ba1c435a52e342433d304cbf9df32d68e8b6a427960e236cef417ec178487609591069c812194297a3fd867058

C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp

MD5 103133fcf5080511c164a5b2eece21dd
SHA1 f0bbdec53a495d44a8a8a4fc3ff59fc9d646d8bc
SHA256 35c06abe508f465201721cb5ac6880e62bfd83a5ab7fdd8a6b58e4b732e2cfc9
SHA512 d10a995ab3c65af5cf76c610ee9b784cc95f27de1011fbad909ca07d6f3c18f42be4c64d14755d4b0842ce0167e235c11f188662bb3ebfea11445cf79afe1f23

C:\Program Files\7-Zip\Lang\va.txt.tmp

MD5 e7967da7d7252da1dc54497e6168b74a
SHA1 8f4e1d0511c5c050f6f40c76e7ea3dcaecc44b54
SHA256 9d6dd8b094eb76756494262b194f973f45b8aa6ed0ee4636ed360dad6d5fc6e0
SHA512 8bad1a11056d961a9978cbfd733f9e9d47cb11430f76547b10e11997d1f135fd3430f17cc21ad6247c9c8f2b8b3bb086771845269cd1522b2c6174c520fed19e

C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp

MD5 2631b0ae225ee5e7cef7853a22962e3b
SHA1 99fbb208e1c066cfa0fa71034c3fb4a0a0f7c277
SHA256 bd9ac7da20a97c12e7b20cd3891c8639d8422dccd68fbb07cd7378d9807b1fa9
SHA512 bd425ae26830c94317f352f5e237f861d9bea4086d7c3b5d6315a5aa0fd13c2427143dcaf44f15cc65f074649f7936961be9af99c224462b5464c39629fb557e