Malware Analysis Report

2024-09-23 05:08

Sample ID 240613-bv46tsyhjh
Target 53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe
SHA256 9524a051a165f8d599fc19efc084c7b45fe5b5e6d2d405f8bb8ea38f17c4fb23
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9524a051a165f8d599fc19efc084c7b45fe5b5e6d2d405f8bb8ea38f17c4fb23

Threat Level: Likely malicious

The file 53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5051) files with added filename extension

Renames multiple (4077) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:28

Reported

2024-06-13 01:31

Platform

win7-20240419-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe"

Signatures

Renames multiple (4077) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

"_Get-PackageCacheLocation.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

MD5 a65a6ef6ab65a019c7a5ebb590b8a433
SHA1 c8638351ddb72fdc0ecc0927c035e3a828d7a1dd
SHA256 79cfa630345571e18db45f9a061f5657a659b7a6c447f511990826eeb655d99a
SHA512 2caa3dab6e706031edeac6965fdb04cd71e172677fb05f10a19e198efee66d71cd03e4a68f1dab0e885b3da657a62672d78c5f55707947c4d85d7946a1bfb9d2

\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp

MD5 f21446e96e4b1d9c4b5312c97643fb91
SHA1 d66d4b873c28bf197fe833ab0e134a8cbbed430b
SHA256 0b82d9ed08c676a0d06090abeb9a6eb4f2f79458b9a42fa496ca58e8501e9ff8
SHA512 a6f1bab3e0e837d6b9ce19729d3de9101cc22ea9407f4177e50072f2e632ff0baf832794075ed9edf465fb8c74323b41c4c0bbf82e9a5d2e85151eb77bd973f3

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe.tmp

MD5 8260b974f893066e97a199da317b5ab0
SHA1 5874235b825d05c0d367f47d1cf25125e9437301
SHA256 7d16e26bf65ff6982a52c6268538fe2b5efa657ac38bb27e796d490f332badae
SHA512 7eea402271811b5b22f137c129bc820584263f86ad235d6c3a8769ec7b00e9b0498f23c78282e59074904786c407f143ce52fd397ff395a9c4deb0d810d2ae14

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9f90130715f568ad3eba2fb23b06f0fb
SHA1 96c45f32b4da7cdb5e4e0860cbbcd3b7370aa458
SHA256 ed688428576172a95822c03d418e977a11fa97d17e44dfd426d9290cd806e018
SHA512 4ef9301c44767549cd026ea4bb4566597e95a65c76a1cf90df6e49de815b8ffb4111f4eb315b535582a97ca17c0e44fc6fc7512f0855eb5a63edbc4868917691

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 144fc26dd6fd7060dc4b00d9f736394c
SHA1 7ad181dad118799c03e96cffc4de44ba2cd6e891
SHA256 a5b7fae8d16365f1bb7efe07c21476e08f4f04932f9d5e745c044533a8afe6f7
SHA512 43bdd767d6946f2fe39a7a79f307bb6afac57d1dab59d7a593fab8040fb1d6dd17ba21e8089599828222795404847036fc69d2002a5efbfa40930f3f2677ce47

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 a403ba6e6e11317c7507f50f48b10ee9
SHA1 2910a26209a6112d44e6a5de94ae55a2ddefdf2a
SHA256 665229b38d8bf525bc110e29db715027cea328a966c7f1227a91959cd453fdb9
SHA512 233180690214a50ab43ccad71e3b8cf953b0f6846d6820dd2aea4458f31846c11fdd7bb32b87a8262f7ce889dbe0e3bb87bc71c9bd7b40e460e25e3908e82719

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 83992883c1ad3e763016dee949ae003d
SHA1 5f07f37f02048680c1141dd0065e166def3d2561
SHA256 c9d28f2f77cfb829727268803365321eabc021a83ec55394d51d7899a7fd3dc3
SHA512 623bd86bd31df2570ee030bfb45a989b10b92184a6247a148d1c9254130dd9c2d809f6d307c80dd9d767c7b2069a6c5430d911e53e1b89bb1384ce1a2ad6a04b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 3515d5e05c0ecdcdfd2767baa1f74009
SHA1 bfa5ff1356c41f5bd3235c3546d9ef113b732a27
SHA256 ed3d9e88027c8d1d6b24ed010e1acb0bb1548297ffe3a40153edc7a2d1ff231f
SHA512 fb69d40f296fc23e0d638e8a9dd4ff4536ca5364af62c372f07566daee2548da4f4f86da76196122d028f00b42079c7b413fb34b43c3956ad23151e9e2c2b593

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 bd54570910523e9769a52d5dfd33b19b
SHA1 baa3831c68570904d61d6f3afa3d3cc1176a1e40
SHA256 2d43cefd1501bd591da73b3311df435f7d099b0dc7d53094171e75e420ff8d62
SHA512 0a4ca08fb81d68a824d05b7f7cbfad73f921782947cf86835026367575a0b41e61bb918e7830b5edd0522c38076076f93a1bd1dcfec6624dfbcd98dd47c39504

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 66d1159dc652c4ef3f5020dab84b6590
SHA1 67e04d70000ac92932311953e36fa71fa19a8901
SHA256 72a9069f874f3ea70b5896a74d5b5d0a3d9d43c003dab021d3edb3264e133928
SHA512 793f220a0da59f6039a3fa31040830e9695baa9663627a4cb53afc3250009fbfec53401248cb767aefd85c187bdb4c9f6083b4e4ccaf407c52f4656dd6fbd335

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 5b38dac62be6fde228e1333889e5f16b
SHA1 43248273bad3507c35e90152ac06bf3f248fe74b
SHA256 2e40469c2684bb6ce479e7d77e8d386f379353e33eb26148718eecc234991646
SHA512 59b32e02e0eea5f7fd82525153dbf48fa0eb19c7eb38fa883d8fdd4f7108825cfc198f8767aa0b28960d7e1d833d0e36d4d97bbf80982f055da4e540cd9c7e9b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 e03fd5f1d718f4ed90ad36acc2d0ea15
SHA1 a2adc16871583b55f3a7ca0dfd514abaffbdb896
SHA256 1baaabb4983c0140a147fb8ea4d548c8dc95bc7feac8fae9fa94f6c95c77a70b
SHA512 dcc34d0106bae185099d741146245b1db422678d00d52140ff02225db3d604a4693dda84ef24945ae591021db4abfefb77fc660ec991e63c437698113893eb82

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 ab4cbb96d4a35ffb976b3f58fc12d62f
SHA1 841b9af0ec3ea51822ce64d174b311e88e321787
SHA256 1d10d4e46429e8293dd86862c381db04d967aeb43476f81c1e2d73ae07b03ecf
SHA512 30b6615f2ad2188fe9e7c98110a7e673b68c7adb77df4bc59fde08ea395b63060dd02bd2081daac03ee39e88f181d3b49c0bf0a4acd38ae2b1552b5a9177d447

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 c4978fcacf48ab171d7a1d7b474e6c3c
SHA1 d7376f2f4377fcac8cbf8751ced2eec60396a282
SHA256 1c541d957f2e00e7870596b25bd68f37e956c44556fd33d5ef477f52f5aa3075
SHA512 e38c468ea384523d2001e7aea61b65b5a6d9608005ebc996d4436bc74c252a522f06c33dfb52a6206577612ddab94f84b48506d4a54a0d9c5b3406dca21f1e08

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 2fb7a3ed9e61b5305fe74d98fa87eca3
SHA1 b38be748dc22392857aa796af8fb070eb2701504
SHA256 774e9e94c49b01f39730d058260128bef961dc0e01e0635ba05b6f40d35fa9f5
SHA512 12a0160c83a4e88acee0a76b9fed2229f602a6cc18144ad7cd086f5cfdb70482219a3d34b2a587c17a59dcd5d1e65f837f882debc8da93adcd74a591d79caa80

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 8cf9c8fc1406ddde3164d6d19d35a8dc
SHA1 fa8a41dc83fd796f9f07550ed8c3b7b5eac335c4
SHA256 13a4058a21b5aaa9f3bf5c97ff49f8a78c78f04e4f6cd1eb38c252980b2dd338
SHA512 b215f0f6334430ababc80ed70a9bb6846f8d59fa3b11b965e305b43461141452a9b0ad20a527ffbad113f380f58a555d8058b52a6cb9bbbd5a1df7549f17f22e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 bafc9e0177d0d380e0314a78bcc71811
SHA1 ff3a3c8a748db9ae378be10be3e629c15367c05f
SHA256 960d948ed96963fe75bcff98cd71dd47c2e8d38d5c481839ac59e104502b4ee1
SHA512 d465a3a1559d35bc51ceae33a70e0503e40d3df8c406be503e40cf17f8784d35de48ed0b7dc77c65430ec96b89fd612596e8eb9cb9800a101c75a3215eb0d7b3

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 becb6b89bdd8438610f70aeae19f7b1e
SHA1 8e1082c580fab5505b66b4d7a0b966f2f73868e3
SHA256 25b95ca6e98a3340c4f6c7b6439816aaf00ab6c3869b6059b435c6b2e34eb467
SHA512 2851640d0d066fe2d935ad84d90b1f116228fef1842df4c5b6f8d6a70874c0d33d19df78652221072cf35f54655d55adb87a229d8837a08e34b2e7fe3d086df0

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 2b3eda2f304df4b5cf7723923fea5520
SHA1 bb553a743e5aef0f366f1c2033d74b87e936a034
SHA256 88207f461f4faa307c396ee392af42d89ccd7c1320887da93c9d99e24650a8fd
SHA512 814a020ad4385d9efe6f94dce653a1d2660468d144a45cb3a3fcd91074972bbb50221b18f89ee87ab486c0299d6c2dea1105e1f94e4422cc57be8225dd2f1e91

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 d85a642af8fb1b1f417784013ebeeeda
SHA1 787b6e92c25e08e9884231e8751796c2f204b9aa
SHA256 70b156f337388cdbdba936e6d9635788331adf1cd44084a38e48b46aef575a37
SHA512 498509b4510e92fa21a1cdeded53ad10f4de958f6cb566caa284a8f8b0b5595c846d52e5512449e865e4bac64cda4b638cbda02e58777c7e9678df3fd109b187

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 8e49919f7d5b9da771a63ab3c7ba6e1e
SHA1 a7f7ee50e2e9233d3797ffd700eb58e6209bc155
SHA256 839bb748eef6adb62245ea8797853686c60aeb3016185df3dcc60cdf1edf43cc
SHA512 8e5a4a620a8eb5771956f5e8affac7df4e0134a4b1664adb7061138cd5b4749d4150c1f7958b4ff13f95b7c2ecebb23f3ba1318702b7c01962aeb2835c8640c4

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 2f3b2abecc7c484eca50f6bd883c9ad8
SHA1 97b114f30dbc89ca12b721827080178b95cc47d1
SHA256 9815bf84d154e2ea76c0ed39563631fe74066091e48fa9adbe344269ef7c4fe9
SHA512 0bfe4bde35fe572b4354752f205cbdd1fd3f18453b6ca10d4ce81acaf00c8413feea2aadaa0d1b7f1edf7279d203ed1dae8cb9921a5142aa81eea29b5312ac84

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d25ecae45fa78a9bd19377fee0f52c03
SHA1 0896ed0f162e255f35460a2397caee7bb0bfd98b
SHA256 93ec94d6427c9cbe1e9964d05244fe2c24046bd48949183e3b6ac89f7432f6f8
SHA512 8f19035cd7e5c1070fa0e84f8fea2875aa913a08eac61a74e16752932eff40a221f799f1c40019608bc89bec50a7ab7db43fa2fc31d9ec1049ffb1f45c5c223b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 523262d1e47154e75bd07935622f529e
SHA1 0e6bc4d1ec22b75f9e289172935684f64b58d917
SHA256 c3c2f803f5a144e5a58fbfdbd08711178153b70b71c077907ec7c14f0da1eacf
SHA512 1883a70e8ebfb1613bcc772e4304cfbdad5dfa66af1eb4befe4405c81ba4ce946d522fcb3a44ea1a6b6a756d391f2653aa8c3bce6e1a991e6585eff2b410e2d5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 a438943c07e42219efa65492737ed3c5
SHA1 c4ad3835ceb2aced6d41c403d100f55fa8eddc28
SHA256 43b5dcd754308cfe6f012a0320649d185175a6e2deaf12a980b939bcd816dca9
SHA512 090cba26be6bb4af80a2f51029e35cdd11bd3b27a5f22ed8be477f56f49d2aa9b3bdcf401d05c6cf512334025841136604eb976a57a44b66d009d2b2c2eaab1f

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 0e4934f9d01e2be99e6adfb1333719c9
SHA1 e5de7044f6b4fc34f45637612a00a546974f539b
SHA256 053c91e949476a45000bb9305b3c20bc55613f43b469f3f6f16b8791287f5df4
SHA512 5032054c4532a6ff2bf4218d6867ddd6ae2a9d430cc95c1f99b7e3a04b01d4a4f6d8d935dbbd3facf0d51ed56e8fd09102d7f4efc30e388f64e86923e64588c5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 c0e36ae82af1256c5c5a5e5fbdcf72dc
SHA1 270f8291f79782d115246e9e8e0d621e92611b11
SHA256 90473387ba3fe8c605ba59d4ccb501e9b89e7d72c8545dd646c3275dcd83f7cd
SHA512 0d678b7281eb0d3cb9b63f018e3b7d1a695af313bbfcb3fb237c31053be67d2583b2f475c073128d92d650e199fc682ff1949a0e0c4b0e9becd500434de0f201

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 68bf823a6cfbd53cb49f2ac5fc420f9f
SHA1 78d81b400e9a3d77fc631127a7f66c407e0c7fa8
SHA256 0658793e7ba578ea4b25af92d652b153d0c77eb58fc9e396b71d824c8550fda2
SHA512 3b457af4f463686157ef9a22b350418b272054633d1f196ae5f3cbc6eb5e409ec44ab1bb9768abd20a743e55e48fd3e97f039ab17562fe611f115b1a9667c48b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 2f94ee530d9e96687fba463098f4e968
SHA1 db115e0bc615f4bc11559cde262a21f926f0e70b
SHA256 044baa4cb28f7babc3b0458d37902a29f7d61687cfe9b913cf0688a1f90b9002
SHA512 a3d27597d77cedfe7c309bbc7d0e3da1bce22b9627ed53328f138d485d8b3af1d105895985fadce958b604eb54ccdc85d365759a9cca22cf1b3cf72a489d2aa6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 27fd591c24ace87efb5ba2953d57b939
SHA1 f2149fa4208c006fe83371fb24a683d16233354d
SHA256 3329bf9efffdc6f2fd06a6e823f9fe613aa2451070e3b9aec802954b387f01ea
SHA512 1df0d3aeb9e1fc56ec248c3df7623a01e27bb670909dfa3e64601143028120d209ad8a0c0fe9f5e72ff5c689191ec7b05be69a25f48acb82d452e2c8249b77c1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 5382fbb7955cdd551e5eae4799653e11
SHA1 19e6afbfb3353a99156d5390fb1a2416b3a6e737
SHA256 138d0fb357be0d8d6a44d45291ec5c4f040d863bfe03b1124f9cefdf1deeb55d
SHA512 7ae70d540543bde39bfd61ac4dfd98cbb6f89cbee9829f31be6c19e64861e2c14030f91ff3e2d8dcd2f7bd932ed23e3ec0b0b3abf26b8028f4a4780cba3c8161

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 cc0b2af285557023d43e22d05f196c79
SHA1 5de384c8cbadd707705bfbe95ff49614926cc883
SHA256 4d4b60a2a45ea6fa4eacabe8ebc034616ee77eff7baec95c462572f4f0a53ece
SHA512 e459b32f7e34035b5f61ae34b82b923d88416fd61d567c39c261e40197f2ff878b32ac83c0291d5831976b9743bc49adf3f48eafe61d421e92d1d92d145b6f85

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 810888b8624613ecc78e01502fdf3166
SHA1 34496a309be2d34683e99db9aa49e40d22510d3e
SHA256 8121987d56b6525cfdc8e8e8d4cce1eba7582d5829a58ccec7b90fb01df08039
SHA512 48ee8d1073292b0f6119e5bc9f12f77759c87fe074e254a98b2c7b6dfe8305f1abac2609e0a841693f3ee01c3a42ab7c3bbbaa63b5893fedc14d223800b48235

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 ac852d9fc3ba1124878050a6df053b59
SHA1 1ccfc1a30ac0ccf90a63abe1b92bd978cec20e8e
SHA256 be2b7ad172106798399d58e930292c926120423d0430ed6954ab31cb06a5c7a7
SHA512 d27a4dcbd921e333e6bd6efa7eff81efcc80f3f1e491aa193d446005475c913b70a14d112d17e3c8774cc7393b5c739d3ce3653e15e8924acba000307ed4dcac

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 3ae6860e38ef2452e058dc98719cb7af
SHA1 c2424764239b5675d0d7fb7e7b6aca45f3aff901
SHA256 c78b657ae33dfad103037cbba91d3929a2e1cec6bfcf60ef84879c4c8fb5b37f
SHA512 caa1864509a01d387f79bab2f86409061f612e366b8bb5be1d01c487e2ded20e2d0afa8051a8411bdd2e1eeaccf398133aaf5d08137d0a3920f9c0c8e9707f2c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 46fe07e31264db4f6544810832db0726
SHA1 29a9afd0c0d9da22b44f3a3510fb8b1dcc3ebfb8
SHA256 de883e3f3d3fd1ea93511e348acb0a29243be5641921e954c160bcbd7afe91f5
SHA512 6b3b967e31d0bce816e7c599929d34541177a7875863d465d9c83bdf8f8f56ad78c1a3ef26a373e041ea30b69a7f97ebcdf4463e15ae4ec17bdeac16f42e1fba

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 aad6e999dfbac901bf504cf6d7fd2cec
SHA1 ee36a76fa70a9411e4936682f80790b7bcbc1904
SHA256 abc819c8629918d11e146092a53fdeb68ead074d7ddb0839098a1378f306c130
SHA512 5504d89bff92642b3524c23feee665371531a0e138b52249df9bdf79d90278b47ebcc78266dd46bcf35fcadcdc76c99bc66fce4822b00cfbd4232df817bc8252

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 f5efa84f4f7abc9cd9b916919263b6d9
SHA1 ca90ff42bbcfa240e9acc4d30c53f0583483a1cb
SHA256 3c5bf28a0274731d8c1f90dc44251ce45bc973aa39106308349a5a9d8edc445d
SHA512 697c4f34b7d20cf70660a85766db8b7d003dbec075d34cd5823ac4de393bd25216ac85401f9647fae7e26694f6c6c03302cf318b5c1f29c700c39e322e396fa3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 076a77efe8afe54807167035c3126125
SHA1 aacf4b82f73753040a56b08030cac7ff33a69f92
SHA256 49acebed24573baf4c30671ce90491d116c642ad7d505f5b97c993209f384696
SHA512 6c090c1ff81f0aed86c9fbad355c53e8b11292776f37dad08dd716ebf88a0ae080ae1bf35973915d7985ea956e4741346e067adae087a56f662367d3c067d712

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 3a18d580ba2d75ea0cbeb5ec063b5fe5
SHA1 dab6667fde8290d012dc178b3e1ec817721d0493
SHA256 1ffd891005f32fe92db7f5168a5e5b4754fcfb290b99a02ae339c5099ceb8d6a
SHA512 29201a25cea3293aaf8f540e7efe92e7da6ec3238033d837b254d6b15906276e08a1f58fa373ec58c91f6f390948dc020abe5a392137795422ff3fad0453e208

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 c0956630e9d5c8cdff66a7962268c5e1
SHA1 bed8ae7106e556edc53effe9ed08b18a58e9eb43
SHA256 54d0fe07079182cc81c93259101337921ac2b7d1cda40791ffa17815dffca2f5
SHA512 311f305a9b930efee3aea0d602b5bcd1f0925b348e896cd2a44ced896bddda0c7cb153e6e56c56bc248aee917dae38d9b7fa94b60d73d769fb6d4cf04ca42975

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 bb83efa773c189c365b685e9f91ff5d6
SHA1 78534375b5bea4c72521c9bd840554a35e4f6297
SHA256 3c6d829f4aa0ff8a62c4bb8d68e84373f803b5dbdb8714df91d56c8b2338aa7b
SHA512 9e711a10076b684716c9f8e720eafa54764df6b34cf68facbe98db2ae548b0232ad4a244f89873c260350e76de42c184879ec5a5e592410df87d4013fa0caf96

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2f9ab066152cb029cb6f23daf4303d43
SHA1 00d731859b0c16ff84cae03ec921d9e34adc9bd8
SHA256 220509c351b7b8e98cd85066ad6b6138987737b0de91547888438b2fb679f784
SHA512 12f303b485e258e2b15b6e923268c04c0e30cfff54fde75fde891fc3246f5f8b5fad5158911c4d0147be97651a569ad7b5b5f86f6478d25ba12cf0d00a79e430

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 a4608ba8b2f3eaba0784ed8c80c3d311
SHA1 961b120752c042299d6aa67c30cfdf68617ee156
SHA256 078156a11cdb599b5635a9fe89af00feb879aff6f4ca75d15dcbe17fec275ff0
SHA512 500b5a035b60520cadb0936b6c01ed8aeeade5bd7db6f40b19861008e181b3251004aecb21a903019d98155716ed997b0ad16f14039f205c468586085633239e

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 3e1c784b2c5d431165eaa2aa8b1f18a7
SHA1 d2111e850d3532e6a8b255efcf328fda8572d8ad
SHA256 a9c0066674a520b2e06e9bd3b0f7ccbaff41b21a5704fb233b5ec5cc8ae99d55
SHA512 60a9f7069d6a9fc153b0a24259a935daa90ceb7fbf03467f31d43cd40ee5e6decd0112a1cfae308d9caa04d162116cc1671f7559ddf471506843cb05e9d086e3

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 3d2586e7c8c974a3933c0b32ee9e6ce1
SHA1 d6ab7bc31d48590297a316a97546e80724772438
SHA256 b8d18fbcecd7d81ce2e637949bd5787d9cc6eef935ed9dcbcd30a1b71058f50e
SHA512 bf4b06c743db09d7de8edec93d8e8abf403f21c134d784869a282980964b2621981359fad73744a271f0ebc85eb141c68b7344c8a3603cd158c5f922f4eda227

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 76df63c259bf96e328e45e94135205da
SHA1 c0f14371a052bd64da0d8633df5f7cfc7cb8a6aa
SHA256 fd940e16be6a52f9645e4877308f6a104153cab1b49bb79467687f7bace14d78
SHA512 285acb816216f779805da74d1a93c9a710878b1ae4ed3346b2279f04210950051b0af71e7f53eb00629dca9b6d57187122891291b6aed57a5831c3f9762d32e2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 6031467c70cfb98b41cb5e59a5a9a4b4
SHA1 8063a0348d55ef466c34149a206a7a22d9125a17
SHA256 e65495451cc84f2efe968a0a229510e8225bedc8f67d602068f706c1a1ba151a
SHA512 7dfb48176e3fcf6ccab24ba71ab4c69dc3a80e23eb326fb76b77aad0622407d5a908bb973d246dd6fe23ab8ee935c51ed634ee5cf15d8d4a911efa96040ef13c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 cdaf52be5d00764d310b588abf2bc11f
SHA1 3f735c0ee3ac863b630bc6085aa800a55e4464e0
SHA256 c40949f5ec8cb3effae66efaa8dd6fc1d9a07b7cb59af16faa0b71117c31f1a4
SHA512 0f5d61351aeefd7b7f68050b6089f85befbe3eed45d2909cfbdf6b26f1a45c86447353588d60b4c7cc40df9ae1a3c5510bec746e21a693f4ea06064d53602673

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:28

Reported

2024-06-13 01:31

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe"

Signatures

Renames multiple (5051) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\ado\msador28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\53a0476a5fc699ac9284b6817dc21d90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

"_Get-PackageCacheLocation.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_Get-PackageCacheLocation.ps1.exe

MD5 a65a6ef6ab65a019c7a5ebb590b8a433
SHA1 c8638351ddb72fdc0ecc0927c035e3a828d7a1dd
SHA256 79cfa630345571e18db45f9a061f5657a659b7a6c447f511990826eeb655d99a
SHA512 2caa3dab6e706031edeac6965fdb04cd71e172677fb05f10a19e198efee66d71cd03e4a68f1dab0e885b3da657a62672d78c5f55707947c4d85d7946a1bfb9d2

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.tmp

MD5 a59685ed634cfdd8ee0391eb7f08ef3c
SHA1 7004fce7b33c27a8bfdc39118238832a6f8b0f46
SHA256 3a77316475729f9e9f38728dde45d2243a89dd37c44177cf7fd2203014161d95
SHA512 54da38ec80787817f6dec3c3d9f366f6096fa11b4c8725457c821c3cb9adcc5ff05ed21c7f7d2db972008095b54d469aa21ce4baa6b2829eded0c5db60fde64d

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.exe.tmp

MD5 3c88442099afdfbf1042052e353a0fd1
SHA1 b8a7dfa7f06c203d3c9922052775170b29658562
SHA256 86521b7516f56a4c8d8fa8d2bfbb295c8b62d2b456201ad2d5a939a624386044
SHA512 d1c2d17c60901d4033d8937fcd24d54100d1d3cddb05af0353d708235538a93b802593c6d4aadd73565086a162c6e453d82ccb399c5d2ff6b4ad747e644e5b0f

C:\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 2654b0718de7de123d0d906f5ac9a74a
SHA1 230a1373116a9a1b34179cba00b2ded3bb623b39
SHA256 5e7be8e3cfd1d3552caa751dd69e6b50c5af9e67bc4137c9ef054bbfbec5cdda
SHA512 8ca154ae1eb4597cd8d4571fd242efff37753d17d61a5559e7fc2c6cb442e3c5ae30b5560a4460786fa6abdb249daeb6731fbefbc111b8ad94323378cdd5afc5

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 97eed759f2e41f1805a0e6fef5f30d5e
SHA1 1fa0dbec73f8789e98f9b7128f7e7d998589e9f4
SHA256 44a49b360b7fe9632ca39e0ebc246643568ed7e86ee00e544bb4840b26e00fba
SHA512 559cf294dc48ee588d07aafbd0056aa3e2c18a5620c624a796ac86b4f019688868699474fc17228c94b5571c05916cf6ae57b503933c0f6c494de0aedd05edf5

C:\Program Files\7-Zip\7z.dll.tmp

MD5 6c7996551babc4ddc7acce3d497acb1e
SHA1 59f401466a683c1f8327f83af303220fb91d6b27
SHA256 22265b9b6147bdc31c6d98c87452df80fcb0424b4f26db723c15fb3cb5cd8f6b
SHA512 4020aeba01776f7d3544c9932f221e09ba5b032beaec96f2b2c2c1c29ddbee680ade7abfe0d0212ede967b8eb9bbd37a124de9861c02cbd25efb74ec54a5ab7d

C:\Program Files\7-Zip\7z.exe.tmp

MD5 f42bcb7e82deec33ce3ee79480fe04b0
SHA1 3bbd20f71431a28e5fc93ef7b3e29f1fe6f0e03c
SHA256 f216cf62ef155207bb0be2086d0c8c62a28a8a1eb231f0a6837f14094fb96b39
SHA512 d745189a399246158e754f719deb96f1a90b0936b110af9c2b302746f79cf5a759f11d51a11457d88df481a9e5aa210881f8eb24c9d86b340b47ac9e20d2554c

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 b96f64bca6bc07a6133470b3a3d54ca0
SHA1 7c7e9dbda2b6682e3063c49988851a4b95b2981e
SHA256 e6573fd36eb0fef1c7392c566c5684c5400b1d5b8542d3b662631d5e804cebb0
SHA512 60a391f549b4ab034dc70c158dcbba2ebbf649589dc0734e98266977e0059d2b4b3a69729ef00c6e8bd0c38c6eae7b62330ae9edc6d76e6e674316f3af317114

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 1a39f8afde7016771d9648222dc77290
SHA1 e4c1017c43f3b12c3ae340e03d744aff18ecd968
SHA256 c5ea403e8f0dbfd55c81307c0ceb91d233236bf3ad2b411de99f55083eca3b38
SHA512 a94f8dabb1b6bfded25fde126c80f284e2648af30688635d6b1c1c183d2b08068eaea0a8e81248f84b3d385f762a19ad6ecfd1a92ad2d13d2ce02bbc14a0df34

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 8c10a814374171126242cd2e8561626b
SHA1 a4ccaa3178b59a56d99891af125e9636030f160c
SHA256 8d12d0489e268df65e85c420ede8bfcd66c0616ef44f017bb3aa8d603082d2ca
SHA512 1741b22e0eaab0974ecdb38a6aecb7e8e753386a7586f03741fdc60a05ed0f76fc7c731d6e5eb7eff11c5501c1377e6c11b927d1ea1840f07df1872e4f247ecf

C:\Program Files\7-Zip\descript.ion.tmp

MD5 451a3104f0d0aaeee78b60a1cc215e0b
SHA1 e022d6e75f8c6d15554e4ad08f6b6bc56050e828
SHA256 7b5e1ddc96b0b1c284e92985b8f31b62afd89d30b4390a35d0c61e8f5e1fee4f
SHA512 29b688d79029641deb195d4fe149d6fba9ea17ec7aa90028574de98d989b5703662e3adaea6d7a8a5429942d58a99557bf3643781a0c04ba7d5ec64dd3883efb

C:\Program Files\7-Zip\History.txt.tmp

MD5 d69086499c16cc3496e0b21e8c308a25
SHA1 44f4a1554921af32bac71b9a6541e7217a66f3de
SHA256 bbfe74e632deb23ad69ba652ada280772ca6cfb793a7510f6cdbb63889a451ab
SHA512 4d72445d627a2b52c49e490600d6308fb34bfe892a0bdf7825ef88af5b05873e68b6e41aa7e06129cb39d3cf672a306fa893894b3c75d90d4d5161aae7e34c9c

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 feb38c919cc9b06d05a7b745cff4c0e7
SHA1 48c8e63c02466d360e2f788470eae26e5cce73e2
SHA256 df17d13d4895b7eefe7e715506838e54493c159d399946275ff32fddc5487702
SHA512 03bc5674c02279cfcda3bb647ef36a74b93a09242778c81877176b9e89c46ba911516e18426bbd93cb9e64b4b805423f584990ce576dcaa460d98661ed1994af

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 e18b73b559ea0db976008b2e92e31e95
SHA1 c24e375a3f0e32ed5583efa40c69ec0982a6ccae
SHA256 6c97c5756a85cc7616eb80115d9fccbc5aa58cc3b6cff3415584823cc901a1c0
SHA512 44150ef2265d88e94b663bcb5506e1749bf2f8634d5eb578906f4db0d5281d6668c6f58c12220e040b102f4def824d1409636f06869f72dc9406d3d4f332ffda

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 1e4e89d6b2ae8777bab46f558cdb4752
SHA1 b6b4e4dfb22ea2602d91159a0de3dc59da06950a
SHA256 eb010e85930b2ebdb29d6c381e3da46c58b0a5c8058b7280120fcaa95143fa9f
SHA512 9e6ef1e0d49feb9d8862117fc34f2cf506a93e2790f34d3d5dcdc5add1d73e1c671630fc087f32eab0e218d008f75d6bbd497a1f46a1fd1d3563e2db99de6e8c

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 b92e0dbf4cda832d8643114df5d2e0e1
SHA1 cd45dbe7ad1a8e8a276bf976afedc5b5fa599826
SHA256 e3212a97714ffc2aa628ed1839586656e26a78776c3d3cf65a8037ea6ecb2da3
SHA512 caed963bf424435f6657c8f5ac27ad178a543c9ddef4c03ff9e483f8b00390a559f00b9a2e8a062ddb2054e85eee37d3f2d79a27e546be8f30ee6fc8fdb7e551

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 2b2e90ed1bf5e98c6e724b0658ab8f0f
SHA1 7fb8270fc744626feceaf4190e0802f615fe7db3
SHA256 e0dd851e490b95155c734c27d06875e87b329aa47da1611a29d153e6cd4be9e9
SHA512 1f6fdeb2855ec1a18a82754c396612f7f5b77e8dac1eeee3bfdedb7414086851ef3f1aafd93189847b38b783ce0c9017f6ef0dc3c143538a07a77a3be2388654

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 5744b842e4c29a3e1d27689f3681ae77
SHA1 2af4a27698b54426148713db5091a9c5ce3f5c1c
SHA256 95af631bdf3db13ed4a77af51a6c78ebf30a44d2303603fcbdd840b46eb21697
SHA512 d249eb9bd8797610f819d37df20676114069a95d9c01a5bcfda4da9e534fbd795f424967170081a404d6e28384ef5449314b11ab3c1d95100f284c53677de0f4

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 054b104df80c1d06f4740c3c0cc5fefc
SHA1 efc1ca368f63bfb75f65c318346e3428470f9a79
SHA256 8ce7b5a50879fc1da3847c139c236445872bb7f4fa9be19fe60fb4ec61fe50b3
SHA512 2d652c996b69ba337d8133c3de83f1ec438a4f1b8cbd25c4527b24e540570fdd66b8f2c48288493997207bdafc2282d2b227be6561937484cdeb8e652671f65f

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 b24fad94bf6364d61e4af4ed894e30d3
SHA1 d3e7c54462f30df6c1488d37226702b2ea0deb24
SHA256 53f6c0580b341c4233e3596a1278c4fe50453df6d44292dbe4ea32e4cc41a79b
SHA512 72136831860e85fb9030704d590ded9fbfcfc6a65757df3ef7fa6ee9c7793d3283925fddb2455c153417180c8576dd29c5dfa1ff46c41e9b7723e724956d87cc

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 215c2b3bac2d8e5950d04307c5383878
SHA1 b26f4fcbb0ae35813f530191b5306ad9eb4210b5
SHA256 8d7aef3705df6f9743e90feb1cca144d3e77634ac1e1f5640374e89686f45f1f
SHA512 3f0683582e873c77cf867f454fa9a24d8f585863cc0709a118f5ba19d748d0b9a50e2c34cfb320f7aedc7d768fcdb4e36a87d64c82e05ddff1492ce52f485705

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 510b0a555e1745265b249c955cd60b8b
SHA1 c00a30e2b517ba156249e7f09e70532019771dca
SHA256 5e25cf48ab4a79be57d56abcfc418df3adfb646b277165e1a5a6dd403df6a145
SHA512 be6a744bd66f986ba705e1bf120ccf95117326f1bea843d172da1d95ad6f47ead2c69360c7152a9b95383c588efc3d40a80f1e76f6fa8e458bea2e707a53927e

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 a7153634d55865a210524bc2628b15f7
SHA1 20f524d176a934a452323e97a1050e463132e0ef
SHA256 a0d212bafedec869408a0b466775aebf2fc5c445a363756f453091d54971e9f9
SHA512 ba6583f2294de99e53a0508619339cb16f496786681effe4f08bf0d0dae20ca3477261cde50c44f8132e35892693fcd1bc2bc0f1b1d808ced646ac2481549554

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 edd23b561302ba3f76931c8a2a2c8f4d
SHA1 15d77270d9c2f72852a77631c2d2009de041b1c2
SHA256 780c6a931e3b796096868211835932c3ca8e3b1e2938781b1cb9342b294b18f6
SHA512 0a5a1a54f02c6f4baa8a0905bce6c4c4516d2649a021eef7c6ebcacefbb6c7c68cbd0ccde1947a94bc4bd797a83c6610b4facf68446dd2b2707bbfbe5dea797d

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 13db20f6048347d08007f2111a5719c1
SHA1 3affca6461b0da675366bce68323067fb630a447
SHA256 bb2578cdf02ff813a8ee2a1536f79896a270dd3eba91c36a1ba69bc22d0fc473
SHA512 805b11dd4d83fc7a7f8365bd280f2a4263e9a1e6d383f000906cf3c1f07eca6843c8dbf3c02a00bfbbe93620da76ead78b9d013824bd769007bf1dc846893a23

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 a6aae1dd1c37bc730a3d26b4234eef7b
SHA1 34f4b0b945525e2c67423595a9f6b65674d10d55
SHA256 d260e5b8058e4033acc4fd10f60cd02f7ffd8e3d74d95481dd4cfdd6f7b86bd6
SHA512 a940faba4668b351756ce008e136e5a011738f74f9a89ef3bbb10596cfd09d7c7c9d1a6f6fa9175bdd786c469b5d4e880c1291652ac84184a3a48e43238add36

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 13c84f5f72e29e5d4cbde0a0679a53c3
SHA1 8ff2461b0d879d1b08e7922b906e041650979ca8
SHA256 7286d76873bf7f0568aae9b486ae0860b4c96a4ee5550d6638a3e3ecd12f7856
SHA512 5dd3e4672cf5b867e90fd4b72de5c95f909831054f23df15f0fde5212cd6571a82012c2dabe02c64ab8ea600d28db0ccb73198692c8f5d5af55786bddbd36241

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 65fdcd5c2bdf78510d4755e9418a418b
SHA1 c11a1596f046e481ec8fc7022cd3581172425c7d
SHA256 6bfdcb66fcbce33af2082924a9fa9e0d908cd15af47d207caeac5cac797bb6e5
SHA512 837a8e8e55ebcb05f25f1a83e629c70385062dfffc320777c29c6ab832140deb5cf9e13cc6bf1a337b6cab89075d1f1209f0b8d6e274e368585a2c85425c170a

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 ca8bea716a5da0d03461879a0d1a0584
SHA1 6d05395ffbd049a05fe22ee09708347b3eaaa92a
SHA256 d8f03fca5923d2ddc2fc56ac8cf587a442c8528b8f2ef4cf79e335f4bc2e8624
SHA512 ecb134b93b3b8c2a93eee702793081b51fc134dbfcd0ac17940b4cdc9eebe80aa1802792d04222d9025d51610e17ecfb8ca75a278311fcddc6f89a836fbcd706

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 6f28a938838087db05eab3496f2eaf42
SHA1 128b51388a43a4b8e4a848a78352d610dad36847
SHA256 1eb8b10f7217d1582d731dea36a7e617d1aa8f55bb0880d39bdb6bb8a6fa0c8e
SHA512 1c8c7606e3e2411515e2c0d69b990cfeaeead027d3ac7ea16636147bacd58942691bf10d26e91af4f31a17d9ca3af1fb54a22b6e692ebd3087bb6cd8b07921b8

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 848b02477b60dbcfa1296bbc0105dfc5
SHA1 796d2794865bb291a8698f1c73c123a450ab3f8d
SHA256 798aa451ba51dd83e303bad3ad7c5c1cc5bf06b9c8dcc8cd88f39fdc58945be5
SHA512 d217b90901f7cbae0f41c3cdadd630a9c7764c3a1ee74196f3527bab52c7baff3ab7506664ca24715dc50913e3e60f00a7eb6a321897292983fe1a67bd74cb22

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 7316364b32bbdab03f9b964d179fbd59
SHA1 b26d35180fd0ef8f383a5c0a3f853c94f8cf5ce9
SHA256 970fe63674e0f1783e7393fcd81fb819543835c2cb9cf7317859b1ca68f1b76d
SHA512 d5b93e286a88cbd436a73f1bca672a9847fe29f5b9b701666ce192e979127e71ec2a97bf3ac3ade0bdeaa0664eff55554dca528887d61707e46978edafb711fd

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 d86cdc9e01c9e1236d30cb9d22c33eec
SHA1 3726edf0edda83677eee420132367ec0853e2966
SHA256 4208532b7aaaee6dbddeb4e8422c060a6b41f97c62adbc5dd3778b08a80c8ce2
SHA512 740c0021e2f71f1f07b0aa2bbd2a7083af5e848423bcbf5ec513997e224f49b658042e8274fa21a8d0fa1ed4418f619094c4feca44d5d5bb3b4132a9b10dfb9e

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 3ca41589989c29a99e8ca997f9db0fbe
SHA1 3333ed55206eae98d3197d95798b99f38fba290b
SHA256 8e38de8bed50a3113cd472c69eb36aeb90b04ff07f6dae213a75213e82aba15c
SHA512 fe5f43c59489dde89c00040044a7e3a7e8e2cfaa9b023495aea84204152974556531cc228bdaf607106aced9b258d6d05aebece608a45cb31ea022dc9e33f331

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 5f5484b53acab38d7f7b703e03636202
SHA1 52a7113d5d673684b1bf89ab89613fc344b38c55
SHA256 1c9e2c229c1caec855d4855ddcc58144f8cd51cc85460c41e158a6749de448d4
SHA512 e2c231bbe0afac19f38dc59ec5d27910a28c83fbbfef125a48de9349570a7b36eaa28902557474c1f95f0ddec1bbd30510da0f55f194a41fae2251066adf9f84

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 8020e2a61e7fcfddcfcbcead27fba179
SHA1 a512c14abece846e61ff3ef82caa531cd6986386
SHA256 35b01e464499c781cc3bc8f93dca7a24e7370e45f4ae1f48a8e6f01f533016a6
SHA512 f2064193f8f02c4e982ea013b488f4c3356f87e40fab8b5d725b0e8c87275f77946288b1216e31f8ebfbaa211d755f6fcab666d8fcd91c0a194e72298b6827c3

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 b55231aebf50a2bad983e961ea12407a
SHA1 6ccbd0260f02d8c84dcd0bb5350615357542c261
SHA256 212808a85df94bda2710be1aa81282f205a198db78e8002d1895484cb1e95169
SHA512 76119306c6fc44cc84a2756548b8bcf61d3ba9bb858d3174a3d1b486bc4218ef2b16c2bc7ba09285f7af85eaa46b26a6c5df0cf8dc8c67f3629c620bc20117d9

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 98e27224d13af8a80ff6f85b98800186
SHA1 9ad9a1634a7c7a07b0c9156b308c5a33c757e7fd
SHA256 37fcf9056cd4ca3ec41335d5137dd82bb3c83ffda2cc9d1b45ae70fd9c396c70
SHA512 1483b5b413c0650180c68dee19dff93516361079bebb9738b004abf05fbc546555ea135f477d5fbff0527d3eacf678632e815c4b1813db24aa2bef5f7852b65a

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 8971593c684b29ea0fb9a5495ca4c7bd
SHA1 482040bbbf63027b26e0af6ba0842af34712c9a0
SHA256 51747486f607d00a4cb956f62374a0256a79b44f45afec19addb97389cb428db
SHA512 8284fd6edf6f61108bad7678a182a9041e095873de6911e1153b908da71103d0b3e05e1e32714875eb7ccce89affc4aa340b9a23f3ae867b8be18945e919cb14

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 ff2b037db591d96b0b8084f582b213a1
SHA1 b2b2599dbc4957e2c75ad22ac6270a808c40c349
SHA256 3a6e1a70e2718b7cd80efa69ca65c18c10a2fc2bf8c7470ae88dede92d589095
SHA512 45e3873e6310ce255285404ba1151a6beba5e4d4fa959a4944cbbc90d2f55588bda1baf125cbb72372d6bced29140012bf6061f5214bf22d1e8cca9c8b55f513

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 ba5a2540489c5016fb60ce089af34de0
SHA1 0ceba0163b33227c74057a18a06398931e51bf6c
SHA256 4e23c0e4d21840cf8184c058e202a8f662112cb68b5981554298a4dd32951022
SHA512 038e896ce050e614534fc4aa521db70fb68f2b0e849a4135d125d93802ea18d85bf2b5df7f1eef4c048d2b4d6d3d23cf90e106bb6a744caed129d9defe80e5ed

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 4ae3be2671a46fa1dcd1e68bc220e503
SHA1 eebbaea30553523106d4517b315b328989a62e6e
SHA256 41068e0c16440d9bfae1f5e953a8e8927d064413f6666dde80ec44f8fbd1b3ce
SHA512 ec2b110a2f9af82d95ac5ca3a43a554baa22e69fb26071da6bbc8e971e193e1be73031c405f47f018f4a4c4f017eba3c38349eb4d435f7e9c3335d3cebe9ba67

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 43adc56d1655c638cfc31c5892008e2b
SHA1 3f182bf1e62271f3e629ff8dd815da3daece44f5
SHA256 721c6e6a2d02f448eed32a52b74ec03e2da7a2d7ffa4a2a22270e773e4c182e7
SHA512 aa92f5d8c3c5f3120d1a67aafe9ac149d0bc39f2c9481ab041598870c8d158045b2dd6107bda72954937b9ec22c055b48127a080e363a40c2b9fae5ed1ebf041

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 dbcb6bcc05cd27c4250c5ea82ed02a74
SHA1 cc046899161b0d52b1b800a015eae41cdfc1e3b0
SHA256 b02209a968b868b8edc2599b50e9fb6f951e0a2d3869552ab04ec1db72df960b
SHA512 175d246540a07e1bf963e9f021442608acaede114f024f1305caf6898992c539971e6b844989dedf132f146be1cfa64297cef26aafa126d9026747bb10659daf

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 ddf15012c04052051e5e0d81eea36751
SHA1 4635a5e365157e7899094ac9c2651645bf9033a0
SHA256 d70add30f26c8a9f3e0d208b1abeda92c70dc9cc568724b3658675d446e5f477
SHA512 b073c9c69558dbb11c2c163ae4691bbb83d0bcb08b025dbe304a33a3c193dcb5de8c82127cfafe23a1abd5fe6c57eb8e68990c6cee37d042b8159cc09b9d6f59

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 b852ffac0e7e07e4c33ebbed2d2ee60f
SHA1 5e9d95b88553136b9faa62c9b0f3e7aaa4a00b00
SHA256 1ac1b321e441b3ae0d1f387365d20f58dde3814814b9259455f191538f40b8ff
SHA512 49c26a50391c9ae85574f603d0e0a0791c7d0db8e5a3ae9ac4868237896fb1e01d28fc45df20b6ffaa8caca140105cc98532d1402c81f2d7153771a5f2a5096f

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 9b61137607bbe4ea19c374e7f820af1b
SHA1 e789a36d456c0931969f515c561dd6e928e865f3
SHA256 85d47bab6f283005428c36a2910c089ccc7cdc25143b7f9d0ce5843e7d8f4c22
SHA512 26e8c7011f1c4e27210f502497135671f7d4f91857706853d3b8f110e24a82d98aa9ede33b33177031c88bd48bdf13e25d30c8c5ba21e98bf5af416cc86ab914

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 8bbd56ff7ccb3d66a4ad8e277e22932b
SHA1 f1ccb2c231be3f663fb13eed3f7879c1a232ca39
SHA256 f431de3528e110cffe9afcb3859a958128c6a6dad9916743859b030faaf6c8e2
SHA512 2f576edf94b36277dc3b503d8ff5b777b7f3de254b38b9632b688cee54eb58ab2ad13f6924d570526333c95f99be5b6eb1932825e9a6ba62be970f8163ce720d

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 cf52a3f0f44a5254ded38456c0223d3f
SHA1 7f19dc5b5a390a6319a9cd968bfb5fe63870f38d
SHA256 33e97679d53f967e80cf1f786a13e8cf6c770f5814f566e9b861d5459b8cc17a
SHA512 96e58deab010631f8ce31db5ee2468a334aba6c7bb0b32eb494478d07fcbf220cf3b4dd3e265888c7a87caf85ee12b976ca2d98320654cd8a2b2754bf1745f70

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 35711364cc2b033da6de3078ba0378ba
SHA1 dd0006a3ec927fd121607bbd798fa405b7625077
SHA256 f81c7bdf563e06f17c8b26340062362e465a50698347bb6660e298de2c0fc414
SHA512 c3973787f2849362b859ded4f2b179c2656033e8828b15744ff04fdc64f2734244a4f8caa3cb61c1651e7c5f80d86ecd5820e87f531f322d171df82289090913

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 2650054c2329a7ba5433b8518dd5c2bd
SHA1 ddfb54b2046f8276f40b360d037bca992487f19e
SHA256 5a4f33071888f9b37ba0dba7799a0129aa21da12ee02cf5107d4cb28012d8934
SHA512 7733a47e6eff59992694eb8e607ecc09ec9b29e8dce6bb5c8c097de470b2b01c25f20e4f78d6e4aa45ae0fcd15a99a8117e03fb1f39d33b607803e79040a9ddf

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 9797c81029c7235b417662cba7d0eb09
SHA1 abde84caace03a20bd7dd5c6db9c9f79a0ce8352
SHA256 9f71bc50657d1ff2d88df603a71401dabc6d7d0a15bb82c7e6900e53413e7c57
SHA512 e6e101c54104a8dd93edf363a45451ffa1171c3e90a9fd8f211d35ab64efe97e2c3a40a1a321450301e9a77c33e4f581d6890a31a7b861a777642f03ff0956f9

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 4b6cb02c84de513b88d3d211f0da9a0a
SHA1 17078725363f3d656ee1e2353a95b882ae93120a
SHA256 6d879784ee9459c03439acd8a0280bb1121a740a1f839d9fabeb40854f5c6e4d
SHA512 f77fc273516b2d5b177ea489362f2b0c13aa2fca501a549a55089fb43b134a257280695a87069cdbcfa9258ea461ab6b8ee7ab6aae77f4d6c7280361eb4d9b29

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 786d190fe75ee0379bd80b2e756bc6e9
SHA1 2e3486494c6afbde7e8bb72516fddfff66fb1802
SHA256 40f5028e4e2f98212914ffc7cc5b8ffbdefa343b0b98f5d2a1eabf46619fd697
SHA512 ccac2c9ca836027288b4e1961d43f5445d490e637615fff742e2fbb3059d3830b6631f371bd9187a9ee8462fa99e7789c9da38d4490c9d68c12d8ecea70d01b0

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 8b294ac4777c1a0ce10b1dbbe72ad5f3
SHA1 ee58d7be74da5158667df58c6dc0eb990301021b
SHA256 2e9e202f22f4ad9ae220f24a69485070bb3c1a5a26cfc3c8c7237fb361cee7c9
SHA512 20d6674ae758d89737a4423ac1a5ebacf0c5f8875d2bbd2c1516fad1262d8a01a41f5f78b8f262ba25fc8ebdd3b2d2db5a98ca0ee37f323a893811b6e103b16b

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 81ccf4b93b7fde24083489bf158e569d
SHA1 f500ba0d00a700b295206bd310bdb106e7c7c6cf
SHA256 2cc73af68dbec6a2ba0f6bf7b61db221bdc453ad518b0721b0883c1c4ffe43f7
SHA512 d0c83d8f463534cfb4da8474154f8da8885d5e960d5f0302560f06cc0ce1bf305487b8230551bfa4439105d37ecc185aa1b079c62dbcaae0721dad5d2da34e1a

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 c503def23cd44a748c2765ddec055683
SHA1 89b6ff6573da119d4ec3c3c9822f8f7ff23d4e11
SHA256 8b80e00beaf4d7bc4d51790fc11e4ae7d8fe760d55bf48770021a83a8955f9f9
SHA512 32a68c38bc684507d227877dd079d7d76caa7ce0104c0fe54905fa0bef0a276f86293611d8c03d2fedf843192cd448e0f606cb1ab1f37e771f570fa6ae54601e

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp

MD5 c6c7aecad5b048b67849cd1ee95528d6
SHA1 80eaf30928040e1fa363bab3cd9be3276d84570b
SHA256 a83c4786dae5162dd979e50b5c2506cf9a73fdd8b218e5174643a46dd3247abb
SHA512 a17ee8894896604ef821eeb1e75d17204ba857454738776048f4d768c95b3f061cf87edc005383d4a462d9b21e565bc8977dee87f47ac1c8d833db9d08e6c820