Malware Analysis Report

2024-09-09 20:20

Sample ID 240613-2v3k4stfne
Target 8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe
SHA256 dc0cb9152d6f0066f186315deebda03ebd16029a944170a2ea54d32865fa42c5
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

dc0cb9152d6f0066f186315deebda03ebd16029a944170a2ea54d32865fa42c5

Threat Level: Likely malicious

The file 8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5124) files with added filename extension

Renames multiple (4075) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:55

Reported

2024-06-13 22:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe"

Signatures

Renames multiple (4075) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\java.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe

"_python.nuspec.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_python.nuspec.exe

MD5 30d77c8505ead63bb929eb76ea89e9ec
SHA1 3e63c99be020765e4ebf0d3ece0c638056190876
SHA256 91962754a2fc4242f96067202e9dbf760fcf858a06b1b5a0bd719045b7050dd4
SHA512 83a4a4a756c50a1cf254914b137fe54669c7fb2e51d5af8a36149a63d474582ab01458fb8c100952f5e776197f57514753350e56d7164d799ce28a96486c6673

\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.tmp

MD5 e7f8ddfb92d8c971f4bc897397504429
SHA1 5199399862ecc74cb7c4c547aa8699eb28f66835
SHA256 5aa9cf270b2cf5e92cd6a203c8aba7801640b5c65b2ba1ec81a3ee52780cd9e4
SHA512 35e3e1507d4bf1c19b337189a2104006f211db4f8261e0b8285d1708fe5d47651d18ebb1c8fb80aa8f02b4fefac5f8d8f65950708f6b2760dd26fa7028f49add

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe.tmp

MD5 f6b08b8cb8fb0cd030ab20d13678b8b9
SHA1 6959870e4b15ba3fa5711d871768067ced6b5645
SHA256 f7731c7ea90baf85ffcb0df8d700a65309c39e84d80c1cd3ee4022f7bd8c8ee1
SHA512 6506094ea6561510f8e402f13917c3f59c03e5671cd137d13a157493fc5d899ff33c3597b165feb00a0049058bdb4c57ba16be3121a72bc588024fb157b6a88b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 98264b72f36c2a3c381632403176a61d
SHA1 ff36e2178fbca74ea68e030abae2653296500cb3
SHA256 7375f81850630f107a5951591ffaa45627fdcca1ff6898cb19d07b19b627ab4a
SHA512 8d4542da0c1137bfea1b3481f55cd17b9d547edf65acfc8255cc8feb74646fba3965de0fb98bbba8a2aa6a2f47731c056e9d5e11835398e32e19347badd99dd0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 179002db6d19073ecfd4a59c384c449b
SHA1 c0b585bb8aa07c7057f0b1acea04d43f76bfade4
SHA256 cef607d167ab401ab8ef05a62379899fc124f5e22c8fccc4f754988fbf86551d
SHA512 c30d128b703e107c12e956cb22db5d8152b1135f5b5bbb6c552c1d9e85bdbb80b8e39f3586d46422a55db4cb97703f336aa97038913080e7c419f2add2655b1f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 5621b559a0ece535c895b4a5d9436b9f
SHA1 a3decfb19ef2491440f4171f300cdcd731217557
SHA256 139defcbacaf3b8911c1b53399394d7782f37cfd9aa41c103c1d33a575863d70
SHA512 362fafdcdcbf479e27d4357e1c67ea7d7a15a6e277dc4211c6a17c6f25589e3984b48ecb36439079de17d9b8391f76ee549b159caf4e62c292521f99c372e902

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 f29b9ed17d08e8c9033f9952e3388cd9
SHA1 a36b8b3028f70b4409f36d68ea75d25c029b129d
SHA256 bead55368bc4cd8eb0d39b525871c545620d54abaab2e635d7b8d041889e188d
SHA512 fb97058a2a7561e067599b8a9fae3968a709f476d2f8193be2de05df5b0dc76c7bc6ae98266287276f910949c6b5c094557d8f37eb526b2ae1c60d4b737803b0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 c50f10f89d7162a4c457b4d5c2dc6b19
SHA1 d755a99282f7f19dbc8b78ea7bea311d5ca834e6
SHA256 6e3856c0cf3c886f9978375e2179849386d6776c9131b36ee8e931bc44892f44
SHA512 ccd2309cbef5aa4b09f917e0310cfba3314a9b8cc0557e19af39d47b52a359c1f2acc41daae8091f36dd6224e359c3571f27936dbda37bfd50bfb2e877cdfecf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 e80f1daea6e44d2bca0f225b6d2db29b
SHA1 d62f7d97a79c67c841c9c5739eced088e4fff274
SHA256 b4ef6cd5bcf30394a197a7a484dff9139d8e3201826be2ed1df0d9e590633d70
SHA512 a9b322feb31eb0dae7add504429c9017a556f1948735ad1f2bfb271d9c5b38d8c21bf2c8f36c52883e40ea4590c8d9a83bc7abac31bd52319e7a28d827c73f78

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 7910706b190a7a347398475c27d9841b
SHA1 41ad8ad840c009e4378551bdfe0f95cfb1dfb5f9
SHA256 31d57f8b5bf8a4e51e191222f0ff58d5fcbb2bc80f0a325f3843f1c2c90ca4d5
SHA512 4fa5460a88533b5f312c0abfc21f5081f47360d5ccb03c17dca69042a314d05ef8217fd5893edf4de50cfeefa1c3e22720c257263edc1e7ed43e6974062b60fc

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 adb60d138f5a91b1c0fc1939d88f4afd
SHA1 7fe91847ff574359f7c6cd5ffa7b616c2e0189ef
SHA256 2f5cbd62ede62f64d9974dfb33741048e55fe9ab9e6ee1a7457ee521349cce45
SHA512 17c0a6f4c81af9d66d3418092c00ee38cebafc8676cb521c6b783426ff29d1096eba07a2f85ec85a01cd86379f6ffeb9473212ffb85e17c07deb96613e1fdd7d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 9de163504bdc1318618f2b663069d8be
SHA1 f707c38e31e1ab0ee53790b22f06453e741f1918
SHA256 05a977282b7cdc7e633507855c7f51006d3a5b0dae6f94eaca89d513926c405a
SHA512 dcae2f259021d5adc9e4612cdeb9acac5976e191d43b37e061f961910ee5b2f6212589e97842da02101d905ce816acb555dbb250d082a538f14b1a73aa95028e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 4b301a21832e0459d41627c6aecb30c2
SHA1 eb16f797e9856e81e1454fb6ff52c23b1a9b440a
SHA256 1d3e99ac282cfdf9d1915e8686a18c68c0869cef058f2023d190d39bc786ea13
SHA512 e1b4ab0e1fcd77236f9608f72eecf376e8575dd8f24323ea72dde70c6e07687916cdc6cdafb1fbae49fb151a10c3e7ad85ed679625a1869676d525f71f55eb1d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 15cc422a1250e0d41fdcb3d70969fb44
SHA1 6bfc925a558d8f32f0bf33c2b02af0179ad688aa
SHA256 a07aab95683a5cbc962eb2b73f2697ac6310cde7631ae3901d9606d10b996038
SHA512 9b37c1bf8b6fbf34445df628007fee2d350f3b03439130d32bc1c2d858def17d30ede39615782b40dbe7057f1ab3f27809cb31d178b478933c10c50bc93db229

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 f002ad8cef26e61d6d45dc4d760301c6
SHA1 c831d317a6ba38f7544852a4a0f88a7a5d8b3b79
SHA256 bd4b8e0e64081201c179f5f28d336584d004aabbbb3938c6e66866576032b539
SHA512 5fdc337dbf9c37ff0247ecad1ebdafe5cdcbe20b7030450225a6fadfa3a2f578c5282e22b88f9ccb7fb0e8a22572afbbbab9db5b12b71b4c076f66f6837cee0a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.exe

MD5 094810240dc2deca7976f19b33190dd5
SHA1 31bb2019eb5974eb5c39aa1be5982a3111f349a2
SHA256 37e921aced7bd077ea6f863b121b1c75043ac238e60641bda4b69664f8f039b1
SHA512 269f3899c9549946257e154f9491a511bc2f196cf4888bba024a77d63a4c748e36179c57217eceb59defa75f862b3aed4bd0d4a513c85f87368d0e2a353bf5d2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 d84127a0bd1493364fff80c80914ad3b
SHA1 16284a1f75c53e01170bc084fa29b3461effff77
SHA256 8a19ba7eb8b67f20882d3d4ee16640d26915515fc8944289c1af38386f420102
SHA512 6bde5d47bdc2f0f92f7f892b99fb461e1e992035f24a42ebb561f4f1e48f75f3e159ec40a771c724fa8e8453f1e611c9a5e69c7c7d601c4865e7fdad7040bad7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1b6a607434a9ccc91e8773792105c6dd
SHA1 c9666d3a36e13e7010a70c8c71da2cddc7211453
SHA256 2ed993cc987e2e858272c5d6701f81936c5e9d98b01f31d12c64feecac8cacfa
SHA512 1cfd99ffdf1d2ae364d68903224a8d2778b56d0a7a139182f3ed688b050783f72cd78261f36afa4279a2ef4c5561e74c5b409ba5c3f84c8bb8b6ce592d15a536

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 5d263c0d243a1dd06ba69369365fbcdd
SHA1 86eea38b0758682fab0c2ce3b06aae9c93b1fb0d
SHA256 458abfcc1677f59c1c53e9a5d46e922c93f553da50acbe355df3bcb8cf687553
SHA512 b997a355837447d9b7826533b3fb7329d0b933fb1c7f1856257c592ad8414e5ea025ca9738912d8341d9cd25d977fc26665516ebd9746793db42c26b073d9775

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 bd37909c596c80f0abc3ec2cde3b87bf
SHA1 1a2b944e406a818ebfeaf56a691d289865455df2
SHA256 48c63f320292e36338d2c6077c31d79308631fe5313f86e8bbb657ffd9dd74a2
SHA512 5ff85648c9c87c573d0d0c5acafee09aed9ad900be0a0fca0dc1b49130dc5b7fc48a6997684699278a624896eed280d49300dc2a3a2be76ac8d4b76fa3a47208

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 8b31b3290a4be2e0dfc9440c33300045
SHA1 f2fa6ec1341aa9fc37abb8a32246b6fcfc483cf7
SHA256 33dec4f67ea82b021ee9e608bf6addefc2905d5ae78a6ea6d85295e277667075
SHA512 4d288cf71c0d2096df1fb7d76b849dbdc7e779923b151d5a9120ecc10523b4303500d95ea09267eafa54bd08eaafcfe88faeb20bf2c4cfd30f2724a6089f0d2e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 7a6a1cbf4f9491b7f62fe1079aa66ec5
SHA1 4abe5441b17ccc79908d62b61617d374dc6cefed
SHA256 1f3343354c1dccd98cc327dc49fc5d8a88de7a1b353a32418267eadc176f0dee
SHA512 59e6ccbe2c042bec25d2b8c8f8c5fae8a63bba6fb4aef6354e3596f4bf0c33c1c9f1e7c4ec9ca1858e430c356a9b702d0d9fd8846e87315093225cd51b5289ce

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 12fb11b7ae53b3ffdb978f63ee39e798
SHA1 881577f865228c2394792507ac4542eee41ee9de
SHA256 58bf0588753087e9b3751a0c079bbf4fcc9f5a8472ad75fc11543ad4997fd128
SHA512 8963b3c12f76592f5175a9820a0e2bdb810d804b13ff52fa74ba29555e30f592dd3d4ab4a1d067a2a01ac165008aa94623f13796c6e4bb71e01e500abbec1cc0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 ded2f58c4eeb4ff3b2f47533419d2659
SHA1 a9c00d5d938396b8afc4fdafcca4be03c9ae85a2
SHA256 5911f9e0f6d7bd4d13d9d056cfb1e57324f016cf057383f420a9416cf01aa5dd
SHA512 ab00414c426793c25685c6e0683625ee3e330b1e21f8c66168676e73ff91e7324a29071e93786555f8d3f3771d1d231dec2060907e19bb214e98159b4a1c70b6

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.exe

MD5 0fdacb2bc9388cdb04fead78d3339f4e
SHA1 bc16b28ae5651133bb691c38e06f691ebdad8965
SHA256 cf96febfd1002001d3e45e5f8c949d6fe43573aa9f9849211497265d0af6a9fe
SHA512 afcea7d8a78fd9c1ded0c59c42f62259872dde000e03810587844512dbff2864632d5bb489cc0996ec0bded7996da855ab29f3f698cd98a5037c924f55c5cb61

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2e7da307b581b3d5cb4ab8cbf12e30f8
SHA1 163586bbed78a0b0251e955525e2ee51daf8e6e6
SHA256 ddd38335b92460792306d4241ba339c2636f650f7f8b7e13dbac88bbf7007de0
SHA512 3b532f19a3a93b74fe2906f1e915f403938badbb8261cc9f82b07f8e809e0f36997cee940f39d6adbe5bbe0631730c629798a45376e49531b53e2012951f808a

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.exe

MD5 ed739eba4d67557b67fd75076369b3d0
SHA1 396ae81d143e91283b45b3537cc7dced1b62961f
SHA256 a7370f3265e0a074ada08ab4e649bb971e54dae9448f08df0a1c64c95df52c10
SHA512 56cf1c5eae05dc82704ea9cabea3e80dff73d3b3e7aa409431f24e2668deef6af936a31c4a79e85ea52f9244536333d0879fc054a0c1df515d5afd5905bbd8ba

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.exe

MD5 23a566e4f3664ced11c8a89d38697488
SHA1 861328198484f2577c644b046a5a8283ab4cc2a0
SHA256 69bb6f4fb917568069f78694c2bac021789a0f61fae9c4b84e63d04be9bda092
SHA512 9733b1e8c3d240fe8934d497d99431c0342517566d09115e8d4259299a20e5f2c805c0828daa4b69000c619a4140781668e1d4b72578f94bfc2c153789e609e8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.exe

MD5 c154ef84388a396dd25cb71c8875724e
SHA1 3b619a2a6fc560c421fd9fce70c0a7d5176931d0
SHA256 d794e84bc4f6f4ef8abbe3bbdac648d96dd06a64817a272b424ef6cb39e0dea6
SHA512 4bfa293197c9df93ac6337b63b0ebf19f49634c9bf2a81e23a5a077c55bbd3b3396276152d4f20457cad050ebba0fc7e58628e7d5cc615e578768d12e2c69adb

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 570cac1c22bd7dcbe2980b3b95730a40
SHA1 59ba451cc27053eda7feb96b92cb25cc72c831fa
SHA256 ca2544a5816907674190999810c0005c7bd89b14a4d00e2652a3e5b90daed8ac
SHA512 896a16a24fa97282b8b09c54b4418e01c176458b092d117c5bb67fd083db8c35b50a711c1a6b4f7674803fa494f0ec6ef08f1490119f9a023bfb16aad313862f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 ac3bca084642f1b7d7f2968b76f63993
SHA1 e299523d6577ea4e94898e4b02df5ab0c67febf3
SHA256 8c2e850502231c2c3b2769c8bcdc88a182d351192e87fb4a00962b1176c2b856
SHA512 bc142f9ee3a92cfa992871c175d121d8bc339866e855c7b679e6a8c782bc53631e75aef805c953367340aa4bf4f39abbba5d5d64f1f35f9c7bf4fcd0c4d0de21

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 80bf693e69e848baa2aceb31584d3d9f
SHA1 3e69edf1a0b89c5d909d9585a3b3d59b4f81737b
SHA256 8c9050ee148d3101a4b0517e6df4025dfc203a41000b2025caed889031063d6a
SHA512 c4555247665c293c2c135ea35c4972b84a424d2f6697e53a0aced13f556e2b12584cb6f3407619b2077c00f3432449ed1bd5ed35ac6412bece04e87f30b48559

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 5753329491a719d948241f7e4fecb8b5
SHA1 7c4ca9ba1057271154f7b60e484737a428a73644
SHA256 624e54fcab035e61fb588ce50595f4e5faccebc2fd38106aff12504bdceb5d56
SHA512 e15e57dfceafabde474d847807195f65706f13c416a5fb79195f397618610b09edfba441b5253cc55fb4fde2a82b0cdc6cb0bcc0361b71c48ae446f2febbc13a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.exe

MD5 54e78dd005222ff343eddbe152d5ca2c
SHA1 188be857afbe9b2ea7021a7b4d58a00705ec54d1
SHA256 53e34da4ab49a0839d3c8db019d7abe07c089f9a534db0cdc74a07bc5538f455
SHA512 89f57f94be58d0452b7252b7caf001c7aac1a6ae3598101bdec34a57fda53d13b0e0a7f68c8d3a8de06d0e96c3886e1f275656ae113a687d62e33b4c781da1d0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 cfaac9fdc712837f6b13bd1e38eb9e3f
SHA1 f1cf26e3a70f0c21410301e992ed4fc1c6d68704
SHA256 4c92ea9f938f0a96eb59b0ca97f4fe96410927e282e6d63ad791e853201858d0
SHA512 0f36dba9aab8c4a97681ff6ae9c335e13c719661520c9c4b089c8712ff02d67c6af6ff137d8a8fa637c6f1ab06c5a77c0cb0455ce27a53afe0126255aa24cb76

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.exe

MD5 13dc49a3cdecdb237d18536d8df9b593
SHA1 4876ed86df208de7607e46272b3707f8ea3991d3
SHA256 0c61536538341efde0a56ab4e7c5b3f7e42ad7c690572c3e62eac08595084fd2
SHA512 16002236789b45ab9cc4550c22aeb6be797825d4415a9b80fbf5672d7d21e430afee2652c1c8be7354d3a4ec33bb1e9923c2ca4fb0fda699ec89e9c3f8f30cf3

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.exe

MD5 4e9f9f0ef81bd2235b7e10cf6f520e52
SHA1 f136df100729fd61615a667e5bc9c725ab4bdf8d
SHA256 b240d2c66ba13d94346e9518d65c7889932ff4c0333e49a754fc353cb1331b18
SHA512 523d93e48f83ab6b2b7138b042b9c8af6b82480df4ce4d83a28ed8151b35cd114e68877dc1bfe6932e53ca21207f92d466df88772fcd8dfd113b6d2578e5370c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 0782b6c945eb0718304d4008bb08e1ef
SHA1 2c4b6c92004f9a57603461084d60349c6adb488c
SHA256 d6160e1c4540fd302a62490d5ceb9b16fa215b3b85e5ea5a14bf2121492eda51
SHA512 b574e4552398528c2428c1a0b1ac559d1a9b677b9b211b3b762819ac162fb08923abe69120e8ba17257a61fae12fe4796f6a59b0845789e22f8d1cbbcfb3c03b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.exe

MD5 b9a0a7880b93775b4b9d2adfed14ae22
SHA1 e2240176e6fdfd84be2c9e1f6c17a45446d28b9a
SHA256 26b456ab3cdfd66a75dfd1097c6088cf95e181c40cea5f4d82bb4610a9a82512
SHA512 3fc8ee0e1e43735db5a02dc13efcacc481c29973d144976792ad7545ed6c820392c46617f3be7e3043a05540aae324f3fa5b9e1e3a454f9ca9736431d1f4f9d4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 5774bdc5a38aec37c241da6f11adb5d9
SHA1 45940ff85c390ac3acb95588b26871f0882f0e20
SHA256 0becf3ab7ed4daa65a072d5f5f5e02416c3d3c6d3d48bc167ccf6aae846f4a14
SHA512 56810667b8900571a7101be6658efd046445bceebcb4504d5100efbff31074ab2426addd389cef72943ee1a466716f3627e77533ee4c82346c935533906aa562

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 ece15ab1da10e1db972eff2b15c9b3e7
SHA1 d44ca528d7f997637acebc9a6172fafa7e0565e7
SHA256 5e29b0b0500992bed5e5ff27732008448d686961795f2c7d65eda436dc529007
SHA512 19929336bb1c1b62188af43c033beb61132b52a4891369a7dc38a2e29efcb9e3f044812479ba7c4e16f6ccde645ad14032dd5d7ff43e1bfb94ac014c4e02c48d

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 2ca3e85d7c726c28f3d5b006951b0827
SHA1 df4c509ae4c1cfec3739bfb886faf7d9f6f1b5d1
SHA256 048e98778d84e5933578807bf8782ae6daceb484c6934bf0c8f2aecec1967282
SHA512 71ca2311e78c229e31bfdd508bbc82a753d8167e953d565c9770b62a2005a6487701633cc6ecdc6e61416e0b11eb192f316ef4080f5e8027852460c02d150f3b

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 a1b39ebe47cb1aa4b5b47b7bd51f6a45
SHA1 01aa9975f8a441a3e7f80140dfbe794b3edff947
SHA256 9f9319d3b6d6db3ea0249626b62a622d5596b20d36cbf190fb2578f9668ac7c8
SHA512 5edc3b543a26f30a868be0e57d8f51ee9a74104b3f80708c4af2e956e64be9e983b5eddb4046f64dce4dc20fbeaaca7933331c948b49d13b257f37222cd29c55

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 2331bae5b44707ca04c00fc8c2f4164c
SHA1 a41dd4bfe0a5276c1380cb11099180c69b8fb9c5
SHA256 496b5dd7c33d2d4d7c316abddcbf0fabef2267baa91c5366e11405aa8cfede23
SHA512 dc78956883fec9a27a7f6617c8cd17c3665a59c4cef7662dac59dfd0f5838534832da557d7330ea98328f69a7877505db743d69e62b37ff19cef107627365c29

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 faa41d8e60a0aff526a21ce0f30fe034
SHA1 9e60dce35da8140c706f5b626dfc7c06ed37ca1c
SHA256 77ea33fb7513aa9370e9666dda3ff1dfe93bbb5d2441dce5bc0b11e956dcbdd5
SHA512 36ce936bd037061f52985aa0d6e3f4c0622d00c3ecdd25eafc0a643a3d1c43b50fa18d318997eede9ca0900b103f22979f753d891f4444e945afe9e72d11637d

C:\Program Files\7-Zip\7z.dll.exe

MD5 e9013fc509aaad4b9bda96f002b6a254
SHA1 ec8617c4df076830dc09b6a7989b6176a5cb5819
SHA256 27827c954ff98c9a5e27c59dc9619b01e74d38a0dddb8e19c37b8688a424ae5e
SHA512 6009b891192277c6e4c8a3c1001824af8e42092570ee6ffa801754e9d2532c0017ff2d7ee6c63f2fdfe90d9dae38797bcf45dc0cf8c44f6014a9531461f058c4

C:\Program Files\7-Zip\7z.exe

MD5 b476b60f85ce7788f2937326965a0433
SHA1 1c00c9e054bffb0a1796844c0b26009349a15b53
SHA256 f473f2f14a75c2b5998e58482d58c767792f7a92f795d91f9e25a1b6994fefd1
SHA512 3a03bf565ca6f585d8c9d828fd0f0f12e5f2d6f28f6080b908ac5d05f831b166f9d3bd3121f19e01eb46c5f92b061d88ef8e5253f00b8ce6ff966408cea040d1

C:\Program Files\7-Zip\7z.sfx.exe

MD5 6632a539c31a3c5c1d794ffce0f27bb8
SHA1 7fab11f4e37499bc1701e630654c084592ec3e9d
SHA256 83effc638e84093e603ba73fad510632dd1665f4cb4d015c80f34dbdce13ad12
SHA512 1a6e7cee0de79aacd20c2d95e3ae10adc33342125fd9c3e8c086371705a03da219807764ece5844bf04faaac22d58c70eddefdde8e04ef746b5dd381c3a80968

C:\Program Files\7-Zip\7zG.exe

MD5 dc24e74a9a9aafdfc76059dbf212442c
SHA1 e86e2087a78ae1cea85217e63b9237cf758ce2b3
SHA256 73088474393256e99de413d8e70499020eac80871da532a0db10844579f4d629
SHA512 a76bfffd0841ad0500c4552021c382cdc966e4d80312e8ea3230ac73ccd44a974b1f86cbe1d5b783a85724dc24731ed855bb9ea7dba2356a95cc2a0838e10b01

C:\Program Files\7-Zip\7zFM.exe

MD5 d84fd715c8892b711c320ed5c6c0ffbc
SHA1 38c52b22f762c3296fab25ff565cc519bfc5140d
SHA256 bbe7ff539f335fd2749ade18a6c1e6f3b9492eee05f9e4badde758e4ab185770
SHA512 af02f71274675862194e01f659a3d22a054dbc5c0d63cabb2c52ae896b06d606dac82304c19b29c3cce9bd8285ade93c851474525433a0387fa45bbe76dc2973

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 f69aae637c5539e8b1d24ca006c3bcab
SHA1 6c9c07fa49b4b64f98145f89add429b9109fbd73
SHA256 940c89d3004756530fd19df14ce6d813c5095b1748e28e02bc51cd078098c815
SHA512 efbc6a059fbbff17cbe604d393ef4bfcb27e9ea66c952409093e2a24b7549891626e2b3db92ca6253f1eaa30a6465aebb0c05b2112e2c67af9bf775a65e04f05

C:\Program Files\7-Zip\7zCon.sfx.exe

MD5 d165bfc10ba3022186b6bb9576802a4e
SHA1 34751f91d814fe18872d25882dcb197a21e58ab7
SHA256 ee35a4d29fb81846ead71244645a62b6501fa18af469af3f87f0708297b1b4ea
SHA512 11f4df404ddd289239d42e16078d9f8f9fe1df25e92545d45dadc192ee76e6054335356893b3b4dc4568f9a55e770ce5704689aa1b5485f4e948146373f9703e

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 89fff2e730083e6a456d035b2b595757
SHA1 433830878a82eb4823f8b63bb6ba068ef4cec894
SHA256 c306007079712e1b9dbe36e33ed26abdb4b656073745b2d56ba09025eb8bfa57
SHA512 fcce0e269af0afe7ee4f2560c9b1ef334c3467cd2d51a243c2a1872b9ec0edf9cbd93678f0019902e9ea3fbe410e411082030a053eff78c8b4aad600e99e771e

C:\Program Files\7-Zip\Lang\ar.txt.exe

MD5 889138bd01a540d03462d44c911c9871
SHA1 28dc574ecc0e157f3eabfbc60b0f7ef99da0d300
SHA256 8b2a1f9a84a1626b966583563597082ac407b5bd99bfbd37a75459364c6cb471
SHA512 65576b4669449d1398649d9cfd5bf73a58d74b954fcd003a83491f067a78c886d762c2a9547b374f12e38dbdfc7b169366f9aa1984917ab0b15d8bb55848ed84

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:55

Reported

2024-06-13 22:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe"

Signatures

Renames multiple (5124) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.exe.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8dda59e84c3da574639d284adbc8cbb0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe

"_python.nuspec.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_python.nuspec.exe

MD5 30d77c8505ead63bb929eb76ea89e9ec
SHA1 3e63c99be020765e4ebf0d3ece0c638056190876
SHA256 91962754a2fc4242f96067202e9dbf760fcf858a06b1b5a0bd719045b7050dd4
SHA512 83a4a4a756c50a1cf254914b137fe54669c7fb2e51d5af8a36149a63d474582ab01458fb8c100952f5e776197f57514753350e56d7164d799ce28a96486c6673

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 ba02b8a442b79c184bd04e6e2f85e8f6
SHA1 ccedc25fdd4e4554ec6c6d5256b9412a62fb02d1
SHA256 753dd373c986f70fc532ee5c5992a039985f8caa3977923569b718fe989e5fa6
SHA512 e25ec60235d90132e343401055d020b1f1745ee6b41e75d939eb5bb6f674832adca4bafdf999d3fe99ec566ab842751582b1c4da6b2dcc77e43e295cf2caba17

C:\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 7d705c52f2200d089d7229da1da22f63
SHA1 96c3571ec6cb0248d1f3eb7e0e7eb1d6cbdd2835
SHA256 126587a15462c2b1cf2756a8887f0346ddcd3a2358054d1a6ee397187832c24b
SHA512 d7891e8150d5ca93c55f159fcc2081b87953d15a17a88f45068f3c85a496235e83c1001a19a37445e19b47b99df6a249cc3295d461483a3eaa97e4fcae686516

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 cdd8dbd8293acdc93c8166516e0c3250
SHA1 25bfb5c0879b6b7ae1b0d8baebd0b4593cbef5c0
SHA256 79d07393ad02b5da6c1d1e86edfdecd4da1f23faf2dfb720e48c3c04352ac365
SHA512 eb18bdf6447b446154d0094c3a34764ffa076874f3e3f0a3b933d9389af16fec5150d925bc035938d7532b6f8c2f63971f3787f94034c1aaa16682012c08a4c5

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 e7a0013e24b897c3c402e9683b7bc01d
SHA1 8f366b44b707ba984dbccd381142882fcc48ddae
SHA256 17c32b92ea1d4315766e2f678d479a9dfb1914ad6dcc0444001b3fee4f3050bc
SHA512 8428a5cb8dd15f55e19993c3fc0def9977d60b73571836f47f045c8e3ec3e6da3f4f69527e57a336a684fe7b4e629a458eeb22384c3c17ea2acef2ab17a63b11

C:\Program Files\7-Zip\7z.dll.tmp

MD5 d7a59b0a0e84db21f4d7877788f0fb10
SHA1 e2b91eb863d6b13ca6b8ee66528ff854d598edc9
SHA256 17dbe19619aaa82848ff01673ff44a8fb72f4f40a5a8c6c1418b88e8815debaf
SHA512 69832d565c1854a87bf4b46d70f64db8e5de2da576cfdefe99631418178d734658a38ed7182c0d762806f6ded9df6fbb73342551c5c0747f7de038cb607227d1

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 c1bd9d9413f54a372a1a5640e56fc532
SHA1 7988138c678aae56ae62c32e35558c54dbec0f93
SHA256 694986f3e67edfa48135750cf26a0826994af7367a38e71e58b2a87c915809a1
SHA512 0d9dae9891956028201ba09410fcc81ed54630e2586e1f91a66b945ed588ca729b15a5784491d50bc161f54511fec3372d05c07dfa0236ad8c8e96b324bca212

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 ae941975eb672e67156938f305d58f62
SHA1 85cf0c30d5cfd204a60a8fa16fd31750f2c8ad88
SHA256 80ff8a2e8d372154b43ac0002a00a747b0232783cbce99d5fb5c453c8685610d
SHA512 fc66da18e7b2f13871e367c7aef3140fdceb2d6e22d95d8c9adce3085f4eddec714b5c3648ca4cf17e4f1bb3959c01bbc329577159e2706458e7efed3e79a67a

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 9a18b06572715d5b48c85f09f6123ecd
SHA1 0015a91545dfcd6216a72bc09d6e9f79d438b692
SHA256 5bdb9d6bc4f70a5980c0196d7552b0c16d54573bd313dca89ac87ed4b76e54d9
SHA512 f77c4929ed22c09665237ec8944beef75e425da2a8fb33c2275a98d6b66cb8d2948461398b777420ffe4e9701a414bb7b146960ec1c571866d0811a2a3d22b9c

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 10453f2e6e9f6e6ed3784c8bf77575b0
SHA1 9d7bf93192b293b2c6e71f4c72335e7320cd9af6
SHA256 244b60628b0a964705290c89f2d2080a750f189fb483ca230563bb0f532333ac
SHA512 0781eb77b8997e5fdeaa5e496b86a4563b784e423a5063200a922b6735bdf24e43669e869e224c3337d0aaabae22a7add39d114b38ffcf76716f115759c14908

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 61d080870ca1ba46ee53065e535f6213
SHA1 d17fd3593ca10e2645622bd1183598a38cf94a72
SHA256 a3c6856545828fc6da7c2ea713fd39767c5f735ec84234e7d095d795c0f99754
SHA512 a94e94e826f40c5401dc4c7cceed04e3e6d88d1b16d1f98833067aa714c9429271ebd6299cb684caaabf275f2c6801a60bb4efb2590e03726986e94615323525

C:\Program Files\7-Zip\descript.ion.tmp

MD5 645178e1ed21e8bca9a040ec013e5c86
SHA1 bb67af19f58e210d7affd0baf72bccb41e9a77b2
SHA256 3ec1dd04fd178de4a9512cf4a748fe4423ee37630a75f3968699110ebcfe3729
SHA512 af945eec175d99a294ec8373fd5d72e49ad67a3b7716b3ac2140c0b8b63473f58ed747611fbd2bb9148a361f47437c741e447b94708e0189cee54851c384429b

C:\Program Files\7-Zip\History.txt.tmp

MD5 50d23e458c90699a7cdba3f353e6ec14
SHA1 06328d3e28307baf7f648e0c06df80afdc14f287
SHA256 f73ddc1b510a46ba21b73f7715eec53aa5e743572d515a0528359c2443b8afcd
SHA512 ec24bf5ca8633a62f2f1d7d655b2d4838c360007e691c15347bba04828cb844a22a9108d78570ae6b47000b9545fd604ad480656b0480a74f934e3f7f6057ba9

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 18a514c3a4cad417fb8f3c8356cb09a4
SHA1 e8bfc42ed6e51e9af3055bfe3ffd13ba55aeeead
SHA256 4f283e37f8f495fbc7d9a05fc55a4e2e235756f54ff13ccfedf7f922467fc26e
SHA512 5f844e982878678561df497f23b14cb4ff878f9b642ba8ef22853c19c56cb909c380f75c3bb1170c338d0950d19fd4ac7087dcb95d73d0331baf23db52aeb587

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 6d470458c33eff1187a97b243fb06ffb
SHA1 c0cb9f5746d7c5bd98f7d7fbb1908007a53f56a2
SHA256 d2b841e4e4b1ce5ab2af19c9576effc5622e3d8845b7efa00064dd82a8dcf303
SHA512 c47e3e0f41fabd6c87b4fdc061d877d5abe321ab3877cea1d7e2fe33b5670d742a0e9bbb670d4b4a4eb90679fdf4d5cb3de46789f3f43fd8d67a6fdfb3d1db25

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 f3f87c292009795fc7dc80a37cf2a04d
SHA1 1dac9616527c3ba97a6e57bdde67e64f6089974a
SHA256 43401c852524b8c4bec141ccf8312a11672daa2afe7ca95997197b7567f9a95f
SHA512 5148c9bc15174b0f91c69fb7d40716c09833b16e019331941ba0d83861e760b6b985a370b2a8b8a70d09e6ddf5de7bc30c095e0a220b5a6679ed8a1100a1e1fd

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 aa35183e23efb8669b7b5bca400cf455
SHA1 c6f82732bcaf0024544eee8dbe78c7e8ba270170
SHA256 5c42e4dc2aeedbc0371fc121d1700cb3bf1bd2be93609eb94a5a41a397551aab
SHA512 5e25b6f2587ab3333941eebe6a071e0ce3a89926a2c290e414f3fa2ba1d7ae8c8f46fa9905d80bb96ec1ced8358edf4801226c050782f4d8b5c0e114df7aea3d

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 7b089e59e3ca92e9cef547c35c8058d6
SHA1 7f9bb6c8c1e7741f41b32b4d80863a7a83b4d7cb
SHA256 b6287aadba8d996a0239695169c2aa549f426d6366571b17df71439727d18c6b
SHA512 5d04c778a7d22039a0da13fd2a26e1249f167560e14a6219465682f47107bdbae0faa3661a5476a8c4421f0f6d2b1e6dbecc7d704b12679bc3e80e5345b1b651

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 df50dc810c3b602ef2f11169cbe5680e
SHA1 00bd6bb131e39d54b160b5c505bad9914b6b910f
SHA256 c02d1b12eaa64aee933f624884d25f6b2ff23212a8116a9a0765ed657226a16e
SHA512 f828e996fddadc803b4cc9fc4b191dfdf684f865081f31fcf4445c6d960c20086246fb5e53e9cb44225f47fe190dce74994ebe29cdd05f0cb8814890bea0fb36

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 2c464f9f38c3b31213a6d013fe39e132
SHA1 7380655e4c97bce0af43504a6167c552cb907601
SHA256 02504f400ad7b2411ed104cd72779634013993655699ab9fc0830c0cabc1823f
SHA512 07b07490d1a71b182778cbed2e421e3db177453ed278b236fad4441716ad4c37fe8712dce71ffad723228853c42002fde313cb04c4b6124b743542ef53a214b3

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 748216d1a36c1523300140b065e535c8
SHA1 cf1f8124b9cc75ebdc2ab0be0c9b74d1c4d1da67
SHA256 9c414cb4a4227398b6330d19b59807d58553b41e3f290c36cad2572c2cd73635
SHA512 3c6503b48c2b154268d8e88bb71fa4d85f0fb3b0f468b3cac589e606a4e50ea09ec1e841040d9ac6a71391d28b52fcdc88454f93d00004b6acf21ba66a393f42

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 6e94c296e411ab72240b2b8cb753156b
SHA1 2d0c382947780c748e73a1334e79ae8ffc2916f8
SHA256 ce65396bca74ab7b98da502eb21be64152be3ae3ef052a16cb252c3478280d79
SHA512 9cd338ce422e515a5c2fed827e4f4f55ffeab241ab4735df0887a3dfd420e99c938555b6c462f8fbbb598035fc171811edaabc73a49804a45e3d8e3a0554fc04

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 dabb5549e1a5aaa106187204ebfd8622
SHA1 863fec4a3d3046c1c8f6e08bb97fa547295cc5d0
SHA256 16cb141254f4fb094b452d8ff054f861f48e5b988ea49ee2dd25047e8c1a7d1e
SHA512 585767ed9928ce4b9737561dbc2e9f17144ffde001b280c67950ea0283f0a2300874a6ac9620506e2293e29d47a70bf5c10c3175be5b85968db2e863ef78b281

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 40b292adf0a5945630cd858675c31c06
SHA1 ef582ab5566a0196c6a5bae75abd6100fddce4b8
SHA256 c876d947f7c8709decd698d748456707d35b11c75d40b36fa1ebc0ad8515bcda
SHA512 3ba144663352f6f33b781d75d29963685da87f225e1d5700e8072afb1e7dd03a34fa985c1c79fd29ff64acee492936dfccfff1164ac77cf13c07248a6bcaef4c

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 1c67200d701ba6a565d02247f2da6aa4
SHA1 5691c2fa728cabf9c659b92667837d12c1d627e4
SHA256 248251bc51b6f4a97f4a250ca3b9a70b7501ddb54e8a42287452585595a202a6
SHA512 ccfff781611c8403b4eeb50273801d97f1d054a17ed50e62a400aab3ca9fa2461f4ef8d47898f397dc3c40e573c746799b4a25601d4c95ecbe114c5522b53372

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 145847e948029d3e14cea7f728bc0c2d
SHA1 6b3d9a3efeada83e78015991270c604053b4c0d9
SHA256 d2348bf55b811e33cb92fd86e3bd744b8d2d54c2320e5818119136b37cf7d783
SHA512 19930aed469843c181de1eb6524efe2debf2b49345f4620d42b8d28baee657411062bef9fb124c4ccac87da9d93384b78fb0412729c01f60e297ebb95733265b

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 6d867f2acbda0b49ae712f9861c34754
SHA1 e338f94ff0fc73c21666476c4d7fe625a2400574
SHA256 aea0958e521ee6bdc6a6d4781a2991e7aaa04992cc86b4e417fe542fc7fa52f0
SHA512 a170df49381589d714c19210c7aa6fb396cd770d675610e70b369dd8f4ce1b4dd7ba3f66e0dbf588b0a922f884715fe703a8f9d70e0249ccf982bd9366adc68e

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 ee312a7df24204843b72c3636cb429bd
SHA1 83e23a7a6f0e83ca9f46af0865a50e35135b2017
SHA256 44acb26c85de5a4968930e59c3638ac93ff2b088dc1f3909cbc0ff459534b232
SHA512 74636b1c1d284b6ed4b32d70d2a046d52e1319368649310bf312df59dca4736dcd22c32a08296334b22c66e062081129718e7e921b97db7ef4f3a37724723ddc

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 3686d58ffbcd25c197f0b3039487b96f
SHA1 95bac18305deb2b0684b6d287997bd603e29d451
SHA256 f4dc9bbfc48f48afa313baf40ba7483b9efef7c512973e35a3fbf07cc631cf9c
SHA512 ddc515b71e13c5fb6b19b6d56648362c88ce302ff1181f0d1f311575e04c380dee3ee4327c0cf4626f64c6ae4ebb33c9ef817e392ae04b37ced03adf6fe95093

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 a8b1db630ba19b86118c71eaa275561e
SHA1 e80cf6022ba74bf084ec0266365ad45ca42d646f
SHA256 c6da7dab42af913004bd06e4bef2c8b524a4208e18dd384b1da21f7290047082
SHA512 6507776df5ac6fa5a1fc1783ad4f98e54f57b577a53d7b5e5252cb1a5f5623a23e1949aa8ee162720442f19aba33feb6e08c0f64011d9c741a9bba5fe35c52cd

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 62433e9a45f9231509194c9de9e237b2
SHA1 20f8f841fbd06977c88e6f31c4647e28eb64664a
SHA256 2c2090ea86a68d5d584815154a2c4b65fd556607530d21267b1276045475c420
SHA512 971967f820f5cd9fcfe123e5450a06ff85eaf905e23e1997c8d92c58481cedd6746c5106d86b9735bc2b66d39cf55880ca81082ec76707fc601bb1ab8bf64882

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 3ba2c3c4beab46ed9b1d339e114f3dbc
SHA1 267f64add5ff6007a9b209cc0b9ffd0d2aaffdb6
SHA256 fbe69ed413c0033c6abf3ca125db0d917667edc6b9757bb088572e0b65a9ec94
SHA512 7e1e204314941be0a28ba668394f8fa806e1f9354fde98383004e79d3e62b0345c81d1c0095a88ad12e8cd6e75e11ee4d47533b0c8eeeddfdb85e7b829e6dd6c

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 52023b5c88e72cc644a92af59171dacb
SHA1 3f4854d791185341319a03a9ee5c803f6cf59387
SHA256 ff9a1df1dc330d83eeb17e734619547f89e30e7345c94f29e3f642751a7ec6c9
SHA512 a2c9c84e5d8ce6d2d20589c88a4420b617d64b0cbb5caa916f707e66f877815b35ccf74fe44e7f3c4091227052953a8322f1f613b3c22fd41cda9cb645e64043

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 d16cb4ac1da2196c94f0d52b79e17aba
SHA1 249c24df94e011d23267f0e5dfa108f6f900c734
SHA256 aec178f130ee2b58f4260efc5e0128d2488605cf9ad053e6f71659e3762d4dfb
SHA512 0a361a8637aae702f9a18162d0fb19085acfa7d491e3b51f2dc76a0dc47595eebd80e9a515c7ad44c87002fa156292ce8a1c4c715dce1e7b9fcfc187bce013ad

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 20bac6e6e63f7660d2f79ce6acb72e9d
SHA1 84cbd20d2b39308b94a31a51b1e3e813050e97af
SHA256 13d2d41c02df4c98bae0abd0a5e0f6954bd22066ead9598dc43c65004e62167d
SHA512 cc6cfec378492ef16b5366c043dddb027de40726d8c8d957047958d5b64d814cde23a9c19af5b96d46b72ae112c211fa1c13675951cee9ba6f130edb9f611feb

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ff3657e31d950b022ef4f462029a1893
SHA1 b26f753250be4833d0e787df8c88356690cd302f
SHA256 c0caea8ce76328bb68426dcee80972e7f5c1dbeecb0493c1a17ae4e74cc00398
SHA512 ead9594e56c1c99edcd73a3b992d58efee15d1b89c9be0f847d95ca09d1754fe6435c58eb2aa66e9a49a5b6cb0555275d52f11be54a328c7ad64af3ff6de34e6

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 80d3a51115729c75b2120ead701441d5
SHA1 cd6dc6cd49e29c1fd6529dc5d79ac25b81eb617f
SHA256 d71ec47d72212503e2ca9bd8985297f4f72308fd7a4700afb69579b45006fa8f
SHA512 f6d37c28d56c16e93b067b9dcd3fb0f2d413eba7519a46cd53551c91119daec249430e48359416fdf3362a75e5529c1824494e15ff70491d90b80f45e488f597

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 d50286ab6a693a83354134c7c76e8588
SHA1 4416ee98768b56275fdc0a897704345db9f0718b
SHA256 3d757fe3ae249408e3e784854c7f59d27d380f88328951d7953eb497f5ddc979
SHA512 105e47295287cb8466a31c8d5d87c870dda715933b67d511044e958bc13e35651dca58f35bbac6c283a6d834c3f3271bfeb56ae79df67757db163949bc4cbe32

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 b7e2beb917ae5a52a4d31efaccd19935
SHA1 a2bcac625450e2a54f91ddc956eb7b44aace2b98
SHA256 d2b2d48e5668e151f7e3628a1b103e5f6beb9bc537aa3f0cd9049fef9a4d20fa
SHA512 cce122f7c4f5e828f5bc1fd634bfbcd5f26ac92eba58d42516a949fc5d54477b7b119b4fb11b7a784e37935295d55fe20548882b370ae79166fb5bb306b0c8e4

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 4fade0942c308db0d04937cfb7f9cf44
SHA1 3fc0ee7e125ad58991c9344778d203c8b3049c14
SHA256 c33796fc4b7b76e319e3a916e8d7ec179d03cbdc17b16420ebf7bf68567c8316
SHA512 615311c0f9d297ece2cdcc16ddf6c6fcf1f135dd1f3f0b42d6d06c18ea4933b7ebafc3d59b29c2ee2426b2c886e7016615487f4e522a339397ffcf2400ed543e

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 c2dfac4a1a54d20261410998af4b854e
SHA1 6ad0ea29450725b687a6017488daef19e8272107
SHA256 3c9e91a4ddcb6bb4841b7373c4fe9c05a63303de61614b335a3441a5a65da2a4
SHA512 3cdc52bbfeffc170c5a6619bd298dd71813397f9c73c18e4cde0b119c07ba56f5f12bf0e6818048673c981f748ce1f4ad0fd6db11823ff184f8c34fabf6652c7

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 9d80b06ba9dc61799623f5beddf99caa
SHA1 415008ff2c4c543dd0b982887c0c623657ba145c
SHA256 5ab6e32bced0dfcbc787470bc4f67f5c3582d18618af578a85e5d3ff71cf465b
SHA512 5927abde4fd29bd804234f0ac61bc2fa330b01b2d2bcc0ef4b72f9f4eb41490268588367e0d5cc3ddc0d7fcd387fd900d6816b69ecca4ac70780166bab81111f

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 861a22225dd0c5b95cc7a73dd67faf8a
SHA1 c5e8ddd4b27fed1d660599e0e57db92e222d748a
SHA256 b20fae48d99cdf50910a8c4f0d4c95ed0d08c9476ec87448f62ee7d29c556b9b
SHA512 473cc2f5b3c1a4305004a1edac616d15b7791a8f949945e877d6c1da122039fcecec824253b80ae571efe68c50abb187191639a6135f435fa773df70cbffe9de

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 ce3b76dcc22a2d769f0459e36405cc04
SHA1 8b7ba68bc865d9f5c87faed49569afe1588447c5
SHA256 d4b37701ef7e240e77f0719a00da3c7deaf3e26b0b9cc3d27b64ee14f143bfd7
SHA512 4aac34c0629c5cca5d6b5d0c6abbf360c48f85775ce96bf34a2b7b6bbda27d31485ab977b66d3ef8ccf18d2cd7d06edb3b20110d61e7135eeec5ec6fd99e5a4d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 52c6f68b73b3afe8d1da22b3ce21357b
SHA1 26079a0c9fadaa7412c62e990862a4660ae74cc6
SHA256 a4a4131b45046d17ca79259e5cc3dadac05efbbeab836df443ff03667a78755c
SHA512 d17b2868c84b20a77506fb56764c69a56c5ac5d02720b6fc23610944f9c19ef16321e72893839c3f7e8de7857004765f7d9e96bca231286bf3f1602fb9dcdf70

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 80d88637c97610786ad9d6025c043727
SHA1 597219875aaee3996bbacc76b70643f9ff10bda4
SHA256 b918ab174e6ef5f6b39d353e979c9cff82c95a5b267ba18cf9076b69ad42bc9b
SHA512 4127b2f2a94101475c87366feffa56f9e6f1d245c4cd94226199c5ce3dbccddc8df9c1c406a7038081f080067781c4d8c06626e92adb3a0831e13ba4cd626eac

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 cd46f88e55f5b9a1e4c2e7a41e7cb1bd
SHA1 f0db5eea1073979408c27539de70f610d89df82b
SHA256 743465b77702762c550c2ca5db71904dddf8747b78bd5470686bf5fe253c4703
SHA512 ceb4c15d7db86eb411e497a8e2463d1cfb8ab31b068c5eba36da366dfa6ef27afcaeaf405c67fc249201c517c84cb50526a8725640c7bf41ec204033b9458c9a

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 04b88a24ae17092a2a9b8edb127b03da
SHA1 8c09b43e441ddc5450d30b0a262814ba6b80f7ae
SHA256 76e6ab2642be4028bcb69285ada35207e242f2aa94fcdc59091a809d78e662f0
SHA512 33ac59461b64f714981a5a240618125191d807a705dff839166bf5e93fc4221e8a90784759c6ff1523659fb62c13e3988e2c48c6503f83bdf7a13cfb0863fbc2

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 0bb042f59e3cf6f50647fcf9130af5f7
SHA1 c251a387ab9a63d381df3c47f0d525cfebe959f1
SHA256 3c0d0b4f2ec25bb7871121b3789ca46e9bb27eb52079b8320654b726933d0baa
SHA512 f92d94878bc890d74067bf4e7d0ef4cc627b1dc416d21252dc809d71efd3051a0d06e1dd1af4b7fd2f6450f07286027eb7af397172b797d13d3ae3d3931d606f

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 ea81e9a177c14ba21b6668a8d7095338
SHA1 c57ff0e7e4fcff49e81d1ba9ce628e2f36cd4ab3
SHA256 1886a3e465b37752d3f0df22855b38dcb606e4f07f3465baf318ee877e562481
SHA512 f6eccb2e864838db4bac9f079f813ec01416d9c6f23185581fbda4be6903aaf11c0e74f8d90d8178d0f7a51e91d23f21b7527dae6c7a89ef9f7b1dfccfcb55ee

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 d9a8cabb258482eb6d4282f5d2fafa07
SHA1 7a72b6bb053543dff21a60aa8eba7d908bd58559
SHA256 0ac2a6df0618d002776c07d188f1eb9ac6d035cae410bda2dc516af0ce928768
SHA512 542243cf6c3e9e6bffcfe304e52d3f2227960f762ad50fde7acab8e09ad10461de61e3ede20cbb52e3fbcfd3317b97bf656b09b2fd96f379405b1efee983679d

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 89254759c7f5dd4eb709fbedada2cc73
SHA1 f31891a107db8e98efb8d015b35363adbc847a76
SHA256 9ae13ce54d1be2fe5cbd61cc519a33e64c962dc9502d866913e5f32d22805559
SHA512 212c6ca2a34b038cc897dc48db6069521ff646f7e8fda106e509550ad45c417126a6ff9b76c30eca481458ade3949a27cba9e0bbc5141d42514dcc6b8111eddb

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 013b94f5293bf514bb6ee5deb5f79ca5
SHA1 12f950f4444e67bd7ba3c1e39027421e15decccb
SHA256 6178fd787e482c84339cc95a450782e7f70f13a2eec53d6fd04e8070f727f405
SHA512 848b0c945c74340eb56dd0b8c4983617090fac951324e52e8bd01515fa00baf9831e625b9be70c2cac5906203161f2bb7a4af93c978b4311535b9fbf4a39bc1f

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 011298b2b42ef89f6ce20000ed4c0365
SHA1 6654b207f92e913a364679fd259c62a68ebc09a1
SHA256 549b2744b838391cfde7684abda06df12ac353bc88b8212578096b0c366362c4
SHA512 ea4b79d4779d6a65401294dc922abae5fc4a06b4d64e38a2a13fd98d58bf80d0d6a6bc1a41605952b2d1efd88c8c6e036d710fe11a3511546b45a48707e987e1

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 d069ac5ff61fd5ea2f06d6881f898e1c
SHA1 3ce4a815fc86fd33816b59cc0fcb338f25be914a
SHA256 df0467962aaed7283a3f7d5f4c8954563e5c43f5f5675853d1752e81d3e347f8
SHA512 459c488cfa7294579850d545b1293bed281751835640df66cedd8a06615faa6488e268071dcdf3334b7c90e74256722537f0526ba626e3ccf1e3c04b936b3df9

C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp

MD5 a84ec39e9e803cd887e2aa2d71e2e667
SHA1 544fef850b1fee35856843af6f9ae49ec02d99a7
SHA256 ed7a1ed2bc87a9786a408140bb55b19e1dde505f1dc5ba104f04c663ae5d0702
SHA512 514a1bf1023d46b706b9e2af1115e542ecb75e221c30cae458d4a5d646a97136ca921f1556bc1debb63a4c242300162419882de72ceb87dc1a302374b3f11bd8