Malware Analysis Report

2024-09-23 05:09

Sample ID 240613-c19tyavemj
Target 57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe
SHA256 d63291fe42b7c0f2e6759ae58ab2bda172e91e8d6259f568a81906a607fbfc8e
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d63291fe42b7c0f2e6759ae58ab2bda172e91e8d6259f568a81906a607fbfc8e

Threat Level: Likely malicious

The file 57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4292) files with added filename extension

Renames multiple (5279) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:33

Reported

2024-06-13 02:36

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe"

Signatures

Renames multiple (4292) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Internet Explorer\en-US\eula.rtf.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.cfg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_.arguments.exe

"_.arguments.exe"

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 6bbd26e747c059c04b72d8ed7a135213
SHA1 47d49fd4143c5ede7c05bb79e25367b9ee2b5a3d
SHA256 3573166fad396acf5800a86e0b6d20eec37ba2102ecb293428f1f621e2f3c15c
SHA512 068afdc5e8a391ba19b5a7e1c40e6c7043b67898b06261fae3afde4ebfd52f482da38b68f70a04b068fbbcc483e36ceb5cd2c466ef63a913ae59c309f0448f38

\Users\Admin\AppData\Local\Temp\_.arguments.exe

MD5 661b9281d8089b5c5d4b47568a7e070f
SHA1 c08d09c09f29773abf7c51b16e2b7c6486740866
SHA256 3557d55df4f2e3bee1d75712b16b14069671c98e457839b6ab2f5880eccc29fc
SHA512 b0b6d9779e5f6954b250f2f85df093e053beef3905dd41ece5f91d81338e152417a300bc63590578f470e7cac94732cb194e1aab57adea8382a83071fb1980fd

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.exe.tmp

MD5 045f8c054a7bd2ee48e1f2cf4190b326
SHA1 593b30c03c0adb2f17897d0ae9633fe54f907c5c
SHA256 928e4f88152fc6bec848bdffa723514a7f922a9ec4299b4f1fb7924f49fe34b2
SHA512 cd957a2e3a13f13868da9212e9d1d1b2b56d6bc3ac42d101b3cc51108851a71b280580aeae71ba5e64181c83bc9b50c9434156864a3a105d118e9f6c4c709d43

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.exe

MD5 d84e2f4664c1d4084e9e20d88da3d29b
SHA1 1a49d16eda5f2086a9f0cac6ecc932250a6e46e3
SHA256 fd94fe7828d5bf88c32381460efbe6700eba37a7158a06715b5b4b54d880b4dd
SHA512 b745ce7966a634f41bd9140756181831ddebdeb0bba24589d94e04a3eb9ef2f2ac515601d02f7ad864f6bee84cc83a5b6842772ef90f35a8829517670faf30aa

memory/2852-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2108-23-0x00000000003A0000-0x00000000003A8000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 6feffe3b749e207297cb9802bd4dd067
SHA1 f2946d5abdfc305120856311ccb3ab7e7ab8f962
SHA256 8b5faf78187b3ad54827b488d9f844eeecabf0276061ba3af8f3cba9fcfb52ba
SHA512 07c6d78b39c3e080ec13983348ab1f02c5a1b4f1f8095c0b7bb613ced33c6fde78390cac918f92c7ee0c11b5abc7d180c572a7db7b7be98154da61064aaa0135

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 7effcb007661da06ac3d0e5e9f5ce484
SHA1 1dcf6b23a5aba67440924f5e09fc6c74b5fc13a7
SHA256 4431be2d83547e8201af8594d939325a5df3411c7cd57fe793a23c962c7ab192
SHA512 52499fad08efda9e4dddb6fa51dbbd095e12b7a0f725d6d7143a43b6e1502bcab1abeeef5bb6640ba630b8332836d3b2caf1c5633e4e81f6a87bb9f36d247179

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 672e3f7f35f69258a5f838058fc48da1
SHA1 936cf81212f96b54b2b34d5b01bf70b2479d6b48
SHA256 4d0f51a4599a91129016d7204af47e2db0830d8476cb93573489276845b9951b
SHA512 61b9202acfde2292a16b8b367be87d70fabe5278998e3ed497421ca2a730f5857c01d68d5438e93a7eba450c2fa66c04fe5676ec246f7f6c547986da19c39ea2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 0eb585f81e5c74efb3c68e88689af85d
SHA1 60468f3f0f6d7b24ab1efca658450b1a9fa496a0
SHA256 5c94c6220a312a2109301e66c270979164ffd760c7507c8c930363cb35029f15
SHA512 9b561975020df12befa3f06dcd373d1e764a6fc86b997a9df68be7f1ae95143862c37e2977cff58455633963d70d75e582225c64d1389be192ea8a6eceddeaec

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 441f09dbb1878ef89288ed87cd7a4454
SHA1 f52a089d894173ddc8b26d2196d7b0ff0b1ac924
SHA256 9bb50a47bea56665a6d01df219f39e3701b8c6ef8f351c9147bd652e63d6b788
SHA512 ca1439402b6c9334a63eafc0d140b71bd2e63c69a4bbd8e93d09ae17f74fd3633f353af3606b5aefafd4a5cf6e5dbf58e5fe7b0b2d1c74b763c231f7c206c880

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 f1f5e7bceeb08358647a9741c8e04bee
SHA1 ab47ff9ec94326aa03a481fd11ba88015256fefc
SHA256 c03bfbc24aa1b0d232a0d2b8fdbb8dbb36b4c1fd11ada90ba10a3cdb4e810ff4
SHA512 1baba82f6e738aa10ffcf19e68043e869276cbd2c569f4964e173be218f14792121409d0114b32f4878faefed6f591dc4f685871d97640e438e386d3b083d1fe

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 dc14f5aa160fcc40c03f7c705f2e2581
SHA1 de64740f38c8c57cd03fd599f06f1204c30d305e
SHA256 18540d3657b044c65eac1f0847865db5d4c97f8e1adc59770a782d99729764a1
SHA512 33732d1a6f6dbed26f4f5dcbb6f0defd975408908a0300344453f0f24e6b3b203bd16c65c6e4419e523b4539589c5ddcea808aae6e59b5221447f11d7630e0bf

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 30ed9399b48edc3ab1b7512f6c1a8a95
SHA1 0b7d9057417c718d7fce0fdd2d47100a845bfc4a
SHA256 76a8a48769778cb11dc4ce4b651f57bcd6970f4b26c1e45f3e2f60b1227d29dc
SHA512 79938a57cd28f19bf7e24124a6654c2da0ce4df33b1e800eb9432c08601e4873615ab520e0775aeee74594689b97dd227be55df986c65ed4f846ddb894eeb6e0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 a13879596c23e30ea03827211ceee315
SHA1 1bb13c45c0589da428bbf73d3ea709adf779d617
SHA256 7137962dd7508b7480dbca8f57aee6180dfd030a66c60c8e14636ed5ebb16cc6
SHA512 dfbf945f439102bc07eae3131065d79db552c4709c59f11fd79ade5a1e62b5fd5c2732bba8e3e9e52dd2041378b1412fcc1922b66ad3acd0bbee3414501ddcea

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 0ff700ccbe274a2e583296dd68f9f116
SHA1 af60a8c0ce32538448046010d1dd24dd8a4ba19f
SHA256 fd6795756ee0bd8c3afba70a837541999f9d16732df6dfea2945b2936927957d
SHA512 3ff8ba1deeec688d7c5e17a760fb80dc0f5358cbdbecb25bd9e1b3335cd9ba6b9c06346d8d3cc16e36ea02831bdc62b43a2f29082e3e05202e516856cf6a5317

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 cf83814807fdff4cf3082ad5420353ad
SHA1 f284b7e9b3db48735992059e31db99af4cf44709
SHA256 7a2947fe73498a77b95d8662c8596e7ec1d77dc0aa432a6f4d20017b9efe751b
SHA512 8d574658405f23dc730886b1275cca1a916b294f64352b0bb09c4d6f56cdd361fd5e06309168c58b944bc42210a5a25b0221bba3a6ce20517d867def06bf3d05

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 bb8a2daead6b220f1ab5be1db32ae0ec
SHA1 6ab4a91cf97ad593714fb937ef141241735d1a60
SHA256 527eac8d31fb84a7f8bb85794a9d403c78edddbe3e2b1b3861d89ce5c6bc5bd0
SHA512 9e21ed09948ec41424ca9a7ac542f8f3331710b66dfde86e8d83097a4ee21ffda86c1954a9f8a8718be25feeaaadfe86d5b088914bdfae94b8660c3e285b822f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 49535384fd29ef86cac337e42d028d12
SHA1 f1c6c0a3314185f807d9583aec5648230ddda3ec
SHA256 93a3bf67bd66d210a0da5c85ee36ec7672a7f29014a58ecd423a70072324940e
SHA512 71bf51722e478d38a8719fc17b377e65d813d166f193dd7f2c6b67b9f6a89c62c529ed58e402bcda908352159ccbb60c88584016fc0cd69ba7ae51ab9a9e2413

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 f2fcd0b922735f1f02f259b6466de4bc
SHA1 9104d6aad8d5213939e027d6bfaa6c255fe3b01b
SHA256 8b8696a31c4720c0c0b05dc84c71729dc162fcb48645babafe6e5b5686720d8e
SHA512 646fb9195039e01c25ed21eea1f1dba616a8b34377ac3929831517327367226d24aab39427ae05d444d0ed7ae583c8e6f6bbd3a0ba314bd292b17b58688651ba

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 7a23c9d7f504cabc0b2b9cb25b1bb991
SHA1 9e7653b034ce8b34f0b54e29b254df7af297ecba
SHA256 0886a547727d0d5540445a44352ee36b8249743f56eaea5af691fbaa701da203
SHA512 2e57914b7ef72789a62895328c53e223f59b4494d6b585cab87aa8ae97880b3399abc101b161b67566e5af7a45f2b89903fa4fb558e3d4b9c74f6bab3892993a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 de59cbbb7aa0a0636af0c6aad443acf1
SHA1 43f63758158c7eacfd8f5376e9b0a976f9878927
SHA256 27000a871672d14dc3847581557ee9ece1627e2e8eafa6821213ccdc56d3b3aa
SHA512 267ce646956a6290dc021f31dc7366201cdbb64b7e7293ef8dc58e120594224370196acf7db2ef16b0315da0990a14f65d082ad67c31e8b3f8abfa1a67df1613

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 ac15832d20637fdb08217435d09ba28a
SHA1 acca36e44d1ccdd02aac3dab0e0cf5c97678fac7
SHA256 dbe1534ca46182e2ce0ed73af216cc2a02f442d2719483a45055bcecedd44b13
SHA512 10e25b39e389372401432500b0a82d4fc5a917c995867bc9f75c93969eae17d79ec9ffef757028dbd2ded59839e4e5fd515ff68f5e2a1a2b57ffc2fbb7ef0ab8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 301e77aaac7d14f3baeb00a2f34da0c4
SHA1 105a0bdf9ad8a7bb77e5d6c314226ad9a98112f4
SHA256 9bc2a7b0c0d3c0a482d4a5b7e24a17dd405c8ea628ecd98bb7dbed48bd4f057f
SHA512 e3125bfb4f18e56d037a287e76196b66bd89044fa9327415bd8131bb9c426dfa97fb642dffc74aba5092fe2864c8c34435d9b21b2b0787498094bff155818d06

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 bfce95945d87c1574f1bd392cebb656e
SHA1 d760015d7b3ec866bd4f8b6edd0e3d4bbcb389d7
SHA256 fc322b2e22a5f730cb1f9185d145c92a32921dfab15752da12951e834ee45ddd
SHA512 b5a1a6c3bc11ada33e3aad1c736e8d68c5c71326ef94171b0147ae3b4ddce0f8433ce6ed12c00e8baddef08dda36ebb0d60280a904a3368e2da55623f169c443

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 a13000614bcc6057d9686d7a2fb6a3ff
SHA1 8cf3ae4cc852f90b28a61881bf70d0ff0650d5b0
SHA256 24c970f3386ea732d97572f7d143f9321bca25a3adb44473bc56bc06056e7864
SHA512 97cbc9b45b246a856e9d002a06a33b5f239dc554c4c98086bf210e7057ac064fa9e3fe012b20b442fbce4d12a80a412d3d3a2c2b330d2a5c8474e3d55ee10bd1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 eb94496c006b836dea8d65e227c17ea6
SHA1 8ad4fef39d04c9a4bd0103e1f784c6aa31d5ea0d
SHA256 a0ac992cd6d3634b07c6adb52456b1dbcadbbabe80a1caa723739fbb738c866d
SHA512 2f6e8981e323b42cb68b4a2456238cb9e60ef7f0e6b0a8935025552a51812ab07bc970b9e0a06e90867b7eb35820f56c3b51d7df89dd3920e77d5b77cb2d3eb8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 597ab96e64aef3caf64ae83bb8bf1d37
SHA1 dffcf645ce2bbff8ffe68db5c7600338146a4542
SHA256 49b47c0b8c04b585db6fb08a501363b03a2c7cc8e6b8713d73807d6ea52637c6
SHA512 b8ce0e11e2edb900b939c13771e686f44f0c4ae7f84e49b1bda08efd7df3638079dc1cee58f01c38350b2df36e6d02675c6f458fa9e5d6fc16850e1544618fbf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 73a1b4741cf15f2575d0b41f1eb242ed
SHA1 6c3147d68c346fec63f8abe4cd9b8cc3dc40a6a7
SHA256 6b0acc8141a2c05c8358af7bfff17179eadb471ec416b4aec8f4807a3c15232e
SHA512 c5e46dd2c1e3a28c38e3311ed9b0c5b511a7ae2e401632eca79f507361c6e1b71296f91e299b084470c9270dc5593dd7bdc52dbc6a973362d92e1174a2abd4ed

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 cead877a2e1f0018306f0d8f30c3f485
SHA1 a8be1e57e5fd4d5a4dbd48e3cf010194ff699106
SHA256 048bd10525f03565e9b42c3a3e25c0e0a67e8b976d3856d3f21ebd9f18b05065
SHA512 51008cdc8a87c29439139ccd72fef8b505cf22525a0bd14a573af15067a3832ebf11743ea090e267ac7521211a1b9c017bfbc41d588980790b34739b5b25834a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 4fa66c33382ea6cd466630e24fe422f6
SHA1 6f165859755faeea02f99b2bb0811505b048b0d0
SHA256 0d1a6b08fea029421d8896f715c6b52c09d475f1bd91ef149c4b2045161d0008
SHA512 929a9c62ae01f06421e28952b4dd70d860497824845eaa52f02aeae030459c9d17fb1b91555839c3bea903fee5c2cf514547007f32f757c0dd7968c02dd6025a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 04c4db261c77a431b5308faeae92e132
SHA1 e4658216b6207f30f024c9b72f5b0222abeb5078
SHA256 4d040c7ef3faa5efbc034d9117616355f96ea8b652bdb3efc5e897b17a5b7493
SHA512 35de2a9c8a6a5d6ebd2a790d4de9ad31a23fc6f90f46e1a5f45f2f18d05deb6bbc475f13b21eabc299b9b2a85de72dfcfb3ca6929796c36765f1d00555befd4f

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 78eb370996535e11d8fa11bef36ea5a3
SHA1 f4be42a9856a5511cf73df4e34e80a4a8591c037
SHA256 2fad39385eca4903c593e1304c18d4265fa8dc006a0f0992bbd0558edb70f891
SHA512 4401f1037d8bf5971b43ea4d62c4e9baee64dfd182b26e9f338238b3a30036d086b8b1128d2f254576a205c53a94fff5d41252836d279d70002f9d0219721bb7

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 6028b316372b9f06bd84742e9ec8dd68
SHA1 b108f74041eab51d00d489bf9aa83e13d23f2c70
SHA256 1f0f99e607f871e543bd81f8179265c513b13a0ce2e2046d3729010e4834e371
SHA512 34df05e43eddab23425792fa353ac799e47e377bc39c6d3e7fd479bd402b35b302232d2ec0ac980b34d8a191607c916baf6940484647797926dacf63822b5415

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 f03e96d14ebdfda712b2752d234b1ac7
SHA1 a42daf20043ea708e7c9faf6456ba89ff301d412
SHA256 225877feeb9b0816b5ee857470980ebdde6d80e03b657b1f133535e2f5f87d8b
SHA512 24507b3807e322c62de42e3e4670445400a89075eaebbb9be5e785d3faa60f9ccb362c8e78c46e4b81ad01c029aa0f5499e56f58ad21abf7cf093c674e8a32c6

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 090b8838165b99a7f1e7a3cc0fab60cc
SHA1 19058acfbf2c6f15e6e8a16f3482f0ec97deddda
SHA256 08ddc954878397d45f25fa4e2ff8dba81805ad7709f5c993abb53957a2d01a54
SHA512 0eddae5a472b85b4feb05fa61f766ca98e93a4bf5596ff7c91afdc3fc3631374e4b1ebcb0d992157b59f2976c7f60e61dde5d12dbde8e0fd6b796b02bdbf1f43

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 8ef302b955b676fd5c79272f32d728be
SHA1 e8e0407285f5a6621b96a53554acb51223606ffb
SHA256 92b3c75beda7166ee84283144b2bb6667b2fc4101bd2fa768a93519dd9fd50cb
SHA512 0328ee3c2078121f8b9c08b27f059b7fc761e3a709a88898ba4bb6442497aeb2a29d151a1d09e27d0c6dca97e00b37a4fe208785cbc89853f6769f694fb45508

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 97e09bf5b94069e284124f012cc7806e
SHA1 236443c4d59d49016e7a35a9be606497772ae47a
SHA256 1f9ae6017eab7f05998b07ac8db9e99504ed3ef22327f97ebb034bf535890899
SHA512 0079788b78a8b5bc6e5adfca78dd2fdd8a1df5184098ee6b0710e621acd38d711ec6240cd6729f92ba300866d67bff01558964d4dd61181efd471a88d6723b1a

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 7bcf3e9599a41fb1886b6b55957cc701
SHA1 658144f832df0874d27e597281e79bc97add0d9b
SHA256 e01f09e57bde5da8664b70c3c6fb6a81307695ee23356406e17796bbb6b3f507
SHA512 cd1e84f2760efbac1bb68416f174475511b07b876078fe4bac18dc71d4a7c2798e2b0146d8def69a71079a9535e8ae343e8789b599ecca7e99737729a985f264

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 c5fcddd0a748a1199efc27a4d57666c4
SHA1 ee3ab1a5633b3e1c30a803e0385f61c7990adeda
SHA256 f60e4a971a2045d707e07f751b91f36986b8aebb878387a262f8dba437722f1d
SHA512 2e0ec5bfdb5834c24b113fac0078d69b821d8b64438ec41d5155c57b81365ef91ca1c9a5687c689ed2d7f5db82de490284dbe16ad02901feed0585b5a7e77d30

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 941c7fcb3aa2ac77a3da89375cef36b5
SHA1 962eb063d000d113a3284d140d73722196fc48a5
SHA256 720faffb388a62969dc89ec732472ea211111baa8083f9da1d590ec2ebb88e81
SHA512 4cd684a142fea33415f912f654951f3d97c14a6bfc91b1c38c77c7ec80c2c4700de19f1fdbeb43f3a4128204e25c0de87d59d6b7ea9852296aa547bc046ce81c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 bc110a221a22eefd79ee4c90c7125f17
SHA1 d7da3c312be0e789fa48a93f2dc32c7563000435
SHA256 07695a4f85151983c2a45aaecb159445d93e6e53d348a749b553df5a6651b366
SHA512 2839fce66421027e314bf0dee47652e0aaea9533f1305ff85ffe31c8afd174e4dc80706572a8b852b0aa8f52f15fdf31fd802d84fa00fff814856667deadc5ad

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 5e8ab3b57eb6259e2c29014745790264
SHA1 f58e4f5ba1a49c369326ee89770c147b5e9a7505
SHA256 aee0da19e68fec706bf0a5142e9458d59bd1b573c3f2312ad11fbb0c0eee0e74
SHA512 d178e1edd0091917f280ac2e42c4d1fa5778d7128ebe148e89c8f27a4eb1d1b8ab89cdb09a228f64938e806a36cab2a5b476f1d8c6af0ba9380c6a8360feb9c8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 0565a2584b4aff86d9ac5d19b8095d70
SHA1 6a6e7bb2d12832363d2715f150f5edad6c34c9fa
SHA256 4436b8bb0f540977a8e30ae9ef01b0aac0424f468cae92b1459a010bc5852a31
SHA512 9f0a23a2abc8b084ab5bf47a498a34d7cdca49d5b0d1b13ee35019cef0ef53b1e07131efec31e6443a378e433f4f173bb7af105464980343068a0c2f08fd4e55

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 6ee116ee528d8ac2f0de410aa0504bcb
SHA1 d286f0d53da1af69fa864a6de3589442d74c19bd
SHA256 c81501bdced908691fcf9417e15228ac18da0491293885a3fcea50ef9a87ba17
SHA512 2f14a7fd259898f5b8d17110dc4150e90072b93912e4474049286999f2e67d9215686c17a6a4c39ad8c1a4c40293eb9d13b4ac15f0b2f5d12c2ee6012fd46edf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 ae7ddd0f708dafbcb0c197f65487956a
SHA1 73be9cf24ea69b1a2141dc808ae080d7978fad03
SHA256 b2126d1786d3f55f45fcf7cd7f7b0a3df91077c0b0f205249559e5cf2e7c92e9
SHA512 f984c41ef7c1c9c9a15f275cb92d9b6e93ac272ffb961e44bf1abd93bc30b0a14d961cef1a45135e25039b81f3f51bf47d1f31bde91d06cf2bd4154b50af9e72

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 27c74bc773db88623170e171bd153bba
SHA1 b86952b04a8814fb1ed92c8325a81324a89ec13c
SHA256 a4d2878e917d893113e4deacab5b26be8c39d3076de33c7db278876d5cdfc8f2
SHA512 e4be662210985d608a2f0e74c244a8d170ce9fd46424deca0101ed68e3e6205290cef4b8bfd6be09d3b31ebcff1452ad991d006980ad559de5be67bb9bbe30bd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 337d729a11bf72bee4302022ec0cbdf7
SHA1 13b908f1f5fb7592da4daf34f110cb1aeb8cd608
SHA256 3a14b162806b1054789b69a4cad24e5cfb9e7b0313366852da5c119080249e76
SHA512 984410ffe5abaf3ed315b3c043a51d058860a6aa6aa074b60dcb6505cff7775b246bc106f046ba46521cf4193b200da866f493df4730db370d5f62727fcc0589

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 fe4ac31823f6665f895c6fb22ef0bb67
SHA1 be53d355b15085af5a9aeaaf0a3b22e3996e39e0
SHA256 f84707173880f26362a00b4b25e30c2796fdfd3c88860d018ccb4aa04cbae45e
SHA512 857d611f3d9330e3952cb157f7b317032027f6fd0d87a135451a98aca98e84b2e2736fa1aac63b4afa6c6ac76b06fd12f992c12a5bded6640fc49351cb68e050

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 55dad32a29648c3dbcbb0e49f245e2f0
SHA1 19abc7787389cd02c467b4529fee7220dfbb46ca
SHA256 b5ba13f688f7c4e05863b53ff8b182a86b189ddb8e616b8f1ed6221794bf7586
SHA512 94119a02c240c0f54001392a927bd7206022b1530a5362b34427a652169fb0ab7cabc54c580f167b772dbeed1ee0db59a37acd9f614656f50d4e7ed26fa17425

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 e3f8c940bc563579ec0dbbfcf9997564
SHA1 5bca8c068cd272c95a56b61a5880c7dbe5d57923
SHA256 276f5f73395d864a1d1f037562f65f3a795f129b3d38e110e8abb42fb7175784
SHA512 4712d023738c1b20d386585b6f9c46287107fe0d723de274605b31688fce0f5f05d32f4bf0d2beb4778f3ef904f10802aaaa1c123c6c6ca1e1e30c5ce52ba162

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 014a0d5abeccc74ffe2c3ea22c5e503f
SHA1 df33d315ce7cb6b4581c74b2f58e34aeb55c90af
SHA256 20f4af2b77ddc45f660df5c9bd9832a1031fa84836871607afa6e60257ff2261
SHA512 12fb7441529cb071247c68e3b76e224d71429c068e68a6c12b415e8b6f4b34aa3e76872d2970651026ed7555b6e0046b98744749ee986a4181b7a95cd6853f7a

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 6accfe9ca6a5628a2b2c09a6cf12894d
SHA1 8c90a16988aa37e68e26cbb432d7aa41ed045696
SHA256 01899c3cf7e8c62baf0b72b6c55ce599be02b58b1fc18a7dbab9b2975d38a4ad
SHA512 0c2fccb4d93022dae4108352db03825149bb1394721be73e4733c3e80fc97c30c5750b952e1d5bff6968c3e007cd199565026b7432de70773a1388ec359a63e7

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 0d1eff973d6d4abb8229d4c5596642ad
SHA1 7cca9db177c23a6fd435365c31aacaa0f3f5b34f
SHA256 334fb8bd4493adf38637bd7d328de4508f76e5ce38219feeb050a394753702db
SHA512 8312bb19439e18893a944fbc463a35d27eff493e4cba6de54aa70faf951100714c83ec642514583d8489d5659cb9a5769023541f02d295803de8848c077a075e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 39a19a57e0a2e57c27884a5fd9000db6
SHA1 b711ece4e039eb58984be7ae2c6161134af7f5d6
SHA256 d4633a65d21afbf7618f77d8d26713e03255be0b2cd703808d44d685328ab07e
SHA512 a350c8e03d13b67fbe2c6444a13b05ad7352c68a9a822699aa745bbbcc1511a67ee6bb0f077f0e1c0a006525bdeaa8a27616af1650a3a196fd39083189eb8f6a

memory/2108-1142-0x00000000003A0000-0x00000000003A8000-memory.dmp

C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp

MD5 0b70050b029dcb680f27e1a7841e03e5
SHA1 65f173a0afad912f7ed6e8dcec03a4f746beb102
SHA256 f1ae47412d5e3dbca34ac3cc03e36b15cd77ba95217c45177ff1e88b8d45853f
SHA512 189933ec7d764c945ce321c51a5967d52987afd4f68f1e182b04f666195d68bef2c4dd91e9183ea2e2baa9ce5e91a4cfd62e09d3f16febc8969eebe120209596

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:33

Reported

2024-06-13 02:36

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe"

Signatures

Renames multiple (5279) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sw.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\_.arguments.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57920690aa05d4f963d108f5c38cb9b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_.arguments.exe

"_.arguments.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3176-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_.arguments.exe

MD5 661b9281d8089b5c5d4b47568a7e070f
SHA1 c08d09c09f29773abf7c51b16e2b7c6486740866
SHA256 3557d55df4f2e3bee1d75712b16b14069671c98e457839b6ab2f5880eccc29fc
SHA512 b0b6d9779e5f6954b250f2f85df093e053beef3905dd41ece5f91d81338e152417a300bc63590578f470e7cac94732cb194e1aab57adea8382a83071fb1980fd

C:\Windows\SysWOW64\Zombie.exe

MD5 6bbd26e747c059c04b72d8ed7a135213
SHA1 47d49fd4143c5ede7c05bb79e25367b9ee2b5a3d
SHA256 3573166fad396acf5800a86e0b6d20eec37ba2102ecb293428f1f621e2f3c15c
SHA512 068afdc5e8a391ba19b5a7e1c40e6c7043b67898b06261fae3afde4ebfd52f482da38b68f70a04b068fbbcc483e36ceb5cd2c466ef63a913ae59c309f0448f38

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.exe.tmp

MD5 5fb2aac024ef216bbf24061668477a07
SHA1 23a2bd68ecf710eb9e1ce764f410cc4ff442667a
SHA256 35cbcb8fd4d3b456c9adc211fe4c63f1b6756babda0fadbd99fc228ff987cece
SHA512 500fe45510d66da7a6e68cd569f0a7ad6054981dba532d9a9610012cf9f258bdcfcef3100a6cbe5c605312d7981c20150cc1d6344a78e1a436de7de7a29256b2

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.exe

MD5 81a23819c52fe1c9f0f587cc03a84841
SHA1 481c1a5ef9a5ef958e1d5ab0f0969246627309f6
SHA256 fe6c1234906727d2c65473442e25efb7059ceadaef8edbe27f9b793b3e7b2ccd
SHA512 c81ad8bb1beeefb69d4a3d219589f382f816e119d1b3eec05e99e56fa3d67a0dabd2ef8e5c69b5ed1d330ef09f73d60ff9942e2bbfe2aa875f1316aec22143b6

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 643df9ddab55dc189a23e0d73a7cca7b
SHA1 c6375cebf030accd5a44e18ef0449a3fe25fad90
SHA256 7d3d09813417c632ed2ae7a081436e32142d8e7b4dc9b32fc7c28bd239c9b5f5
SHA512 9466f08c6abedcdd081c4c8f73eeddd2088884e2891f87268795335b6df05a31f33527900b8c8531fdff40a4178efb19516f386fb7ade099e9dbdcbf3ab78ff1

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 a206a83de1f8731ba24528e9c2b6c097
SHA1 4c5187ea97dea7e551db10fe9532017aa299f629
SHA256 69f634f115bc8e5a0314f84d5ec0ecad699c48a7e06479a11383b27b8c7dacc0
SHA512 500f85962e7050c37c8292ab07a92b471101606bcf0916f33ff6ad33ba93dec6885a37ccc9505e1e1cce92e1b00a55bc39cbf347cbeb6eea5ce6dea6b765765f

C:\Program Files\7-Zip\7z.dll.tmp

MD5 90d8485ddb802683107ce39e610ec2c9
SHA1 a7111be77f025cb5e5574dfee30ff3231335eff7
SHA256 c19848e716aec746da3b86f5388fbbfc21504771da2e1c61663e652ade86f7c1
SHA512 35448927074bbfbf3a8f9a417acc27fcbed54d1e37f8c334d0962c386b3f2fb0374bac0a2bd1966496c5e9bcdc86730842700bf357d6c101e7acbb4569cddf3c

C:\Program Files\7-Zip\7z.dll.tmp

MD5 7589843af0e0791b413c9f408d570ba4
SHA1 d9ab089d59a5efc20e6a1a58140b3d647f13f56c
SHA256 ac4175019bfaae5e17b5825077fd8661a03027597f33488077d5cb2401dba150
SHA512 6cb763d1d333c9baec25361b1d6c22b293204863345e080c9f9d4b5160cafa64e14c884eec5aba8bcb0b87ff7db9d28043ed1ebee84188cfe36f6bc04487b000

C:\Program Files\7-Zip\7z.exe.tmp

MD5 aa5c9f93522f730d68b6c2046987d789
SHA1 30157df34d7427ceced1957917329ca0830f3729
SHA256 57d18ca919828281a1b9b7d8661e485bbb3dd3df4bc6d72fcaffbd37cc81b296
SHA512 bd7f644b3ba77b860a01088a8fc2b089be5022be6b1bb9e1b43a3f61ac83f2706e2f1d5408985447a9d48b68407acde618081ca33dd9f0812858f08697fc6876

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 b335d49de5f3848d6ead157c9fde3d25
SHA1 7facd5ef557d401e4f142a9e8b961fdbf2d2134b
SHA256 8608ea932876ffe652baa31a4788008e52d1e78461a4076a51d567224c6fc63e
SHA512 7a81c631f59fcca411ce983249d5f7f833fa4e67f33cf3f93aee9779c978a42e72f08a79ed6100e0fc412ba3c6689a1145778a55bbb6272032c11eb81a58bb24

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 14e9ac920e4321f12cff9ed366d4d868
SHA1 a97d69d9ee84af843d3842de9f385b5cfff6e3ea
SHA256 ad71f13170469992b1e7f71e9ba0505ea2222a505f4bb624ea781a0cc01d3f45
SHA512 4599d9d2c3fb2ee291beebdd8bc6fff5335ae6cadce94f9498f83d06d14da3d0d5b59452e7faf0efa759fb6a2b1d04dea2aa9acc14fed922bb697643bc8ac103

C:\Program Files\7-Zip\7zG.exe

MD5 35a3b2c1cf4f10895051bf3d67d7a799
SHA1 866c6e6788fd42b0f8bd7f60979c06021e83f1ef
SHA256 cd202c9689f26caad5b1f3f6485b2b78326bd54523e17d855093b5e63e4b2c3a
SHA512 d5222f8566f2e1b6de0520394fc6c71b9e2608ad157c40d31c81ab014be497767e273f8600113146184fb5c55230d88cb2533e67873da852e24d5905cf76906c

C:\Program Files\7-Zip\descript.ion.tmp

MD5 48901b82d5f3e3e1c8a1cf0ac2cb8ed8
SHA1 80b7ae5b82ab5adf771e5d8a721d4fe8564daa88
SHA256 2aefbecd60011a22b5b3f292d2d1c501d09cc22d4067f70781f88e2ba2621889
SHA512 04c9e5c447a7ebdb4a3c21e3e4738e42aacf523d4a9a0151fedd87aa009fa5812d4a598f67ff8b7d0c36df27bad385262f175381bdf6163b1933e6c24e5b0c92

C:\Program Files\7-Zip\History.txt.tmp

MD5 89d8af9c2918c300b3aad3bf32110c73
SHA1 6213777ba300bdbe18abeb996922e20cf7e2d64b
SHA256 7cbf12145ee82f3abfbeab1a93563a779254f6697c94311b9eb9d1f0212865ab
SHA512 7869aa26d92a5d5f3ce8332d38fe96561b5bce0099ac509bad7573a638500224a9c4bf1f5d450b3e602aa17aa92dab3404a56a384021761081328ae66a9d7f29

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 1696b5c9c62b2773c5a2fb6049a8b240
SHA1 47880f145fc2ed061e989a2d251750dd6d478227
SHA256 54fb6b961d28bf5879adefa7d41cec86d6eb219220a7933ce8cb6c9a4a7d02d7
SHA512 68be56da2fc33dbc7024f32327879acab299ae402f66f14732c0fa147740f33862368d35a9ecb13635e117f81849d681dde5eeb5d157cbf65c8bda22c83b61fa

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 1786276037887d8260beae0c6572e461
SHA1 7ea9d5b47727af0c800a86e1945bc6642fa9524d
SHA256 ab015b340ec4089f6b1c1449599911e5838997b37d0d4eccdb60d0794b512421
SHA512 12080c5d6a58868d04db51cced66a2a8b01fbc6a9ea59cebe184afcf8786e74826082b106159f93f1c5208fc0b7cbaadefe6d3befa2fb2ccefc300fbf667778d

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 c20e029e6f4a48d2d099e9f5a43b0114
SHA1 c6b2cb129a8db9d8376c2610da779bb14d52f87a
SHA256 b6e556d5e65f20e1fbb8632c62068b3ab6a4c4162bd26369bfba070b64f460dc
SHA512 a54dc8162214f5b58e57f443dfd5bf6b3d5cffc7f94b21698773df367b8d2c818eb9108963df0c0b43eb1eef19902b8d329cebc63113c603fe621e5da919af28

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 b32c625f896843c19d8ab65e2286c6bb
SHA1 c6464b42a48f527c54c5473d22a427051a3d4483
SHA256 51b72945ec135e469dadfea14d45268f2fd97f823356aef4f156b25000461305
SHA512 4c8763e1eebbace1132a78dd12fa5535d1dd9872b036f0c13cacdbbe3a4084e36e621b585eefdfe1767b2b8e9ca2cd3191f1e7083ccaf453948ac13163c567b4

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 bff846c9bc213485d7130f75c924c3fe
SHA1 7e29f25735c99e762595921b67cb67a145ecc4ca
SHA256 cd38117718d913cd19b682ddcc78f2fcbfd1a09e2473068b101cbc5045f7db2f
SHA512 c832bb013acca7841464289a8ce5a0decf5db4e34c5c441ce9e9c66b4ad59ae262aa5bd940df193659d9951ee4c4f71b23fa4783c4db5a8c0e845b533468af70

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 a14569e76d7d71d0b9695594243cca83
SHA1 08838d2a274a651782d52a33bba02a2bef9f0b40
SHA256 84bbc581464e87cba6155d97794236d5f6d4e37e23e52df40ff36deb605386bb
SHA512 4b8b178c3e4c8a38665e6368e0451a15034faae69bb88e7cd5e13f4b586e7c33c1084d12b2f1cc58ae7e513ed04536195d2527015569826e7630e0e73ddae8fb

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 02dc2d0fcd65306dc031c200a21a3607
SHA1 b215c2f642d2179d6a5989f29ca15b95caa3a92a
SHA256 94b0c724b75fca356144e76d6d71d4af9907554fb0cfb0afed9b33490b723cda
SHA512 a3a329d5b2257741193bf2d97dff846372c5f766dba114f77c45e1d84cb9379000972867ad57469b487c0d05a361e264e6357094b8937142fd3cbd29954bdcfc

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 7a0203a93f9c6857eb7247162b587421
SHA1 9c70db35300b19f487028942ae260df545ce63a0
SHA256 d37881542a9c3986042951c8924dc9a6f47b3eba56cf6179a475d6a227211252
SHA512 8f968d56ab08d4e8f298766ab6e7f3b27a507c769acce69fde3998a5a77b12da6cac7e7e8f6222b10785d2f229be4ae1493f0d03e060999bab15548eafc47697

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 d80a6f640197d728fef70324d7e0509d
SHA1 2c63cb1cca3e14df2228ade723df558c67814faa
SHA256 88634404a61eea652de27c9fdbe36c99bafe0185eb437883e9e472f0675e80ae
SHA512 f99f59c38780998a41b5beb7f79337010e89f95019fb781cd792b1704b2b52b59ddf8189f18a8143c03222fe3d525f40d1d6614361311f90a02bb3dd1f7e41e7

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 43b15d40b380bf497a8022a435394b81
SHA1 a47eb2ae2ee8c03112a7e67586e62c258e9439e0
SHA256 ad01fca77689df97f8f984a390c36f4d8e467f130432e1c50c7dcc864bfda428
SHA512 d373b85f7c9e177d976abb9fdc00d427b9187678336f89ed98d2586d970cd18147f9f892d8b0dd70cc3279ec7d9eb418caa257511971e844075ec031394cbe10

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 f8733452049ef956ca19f03177fdb50f
SHA1 85c2a9b8ffc48f375d921dd5c32375543ccb70ef
SHA256 a339939bc3108fdb4167038abd570c4ba610bbfdb694b6aea34acf3a57cc6091
SHA512 fe35d24adc6d2d817dd9c07ffd378b301cbaac9c20b36d184d9aa23f2a89e5fe0a69b5a3d251f28c993215387090a943f500f247c41956420d1d13200ce099e2

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 e88efffd7e68e2291e4b79db97936f18
SHA1 fe279f2fae922fd2dced019704a565c0d42a4e5a
SHA256 3b43b952ed6d50cc42645e2816bd9c78c9f32cc8226e316d2bfd1ba8cc5c2514
SHA512 44af4c07e81299bb60a8fce6c4d3c0a555a01e82dfd3b603bdd1d498edcb7bbe23d12b1a593b27486e485b378d554d4d96f1d2a607bb460531e108ff9a84219d

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 5db0b88685a939b41849d77767612821
SHA1 a7d45e3abde6fdb0a22db57aa4d0634a775eb1f4
SHA256 f428323ecaaece835544ee20839df268f1255b4f1c4d31e238681bc17e6ec283
SHA512 a69d8dc8ca9f048c2506218e5c3006d4d125f37fd9260043e7537e443432d9dea21e638cbd6e465c565525ad7ffe4c34840ecd1b07e63c14290ec11b3a90e34a

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 34918e6df484e7884a78f2d83ac7b71b
SHA1 7637a69e7774b3a9a7622bf2c0bb78149f6bb881
SHA256 14a93a21bb1b9537787ed9c7c42a96c4bd46c388ca7e911ddd42b3f6d22c3122
SHA512 9323bd60c75310c7d9e811e21c2daf8dd7e60f61cb0b80fb92a11e14c43455c39984e3ee6fa74dc37222913210075c532e67e72e4065a3cf3d147c80ac76c2e5

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 59b9641d3c9d8df79cf15ff05ac53aca
SHA1 1dd799dca66b6512d3cf42b4ea21ba319841a948
SHA256 bd6baef67a121037471531463bf8f40f18b57151c7b5ffb685bbae23ce925b2a
SHA512 c4af5704a254b7acc5883831549e1a78282c615e181b09bd470fe885d92071b64a496661e5f094d065bbb7b50c7b3e6bfb7d4605f1ce4901b7345ef42f54b437

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 8a3699c14394e4c3ccf0ca99fd9049c1
SHA1 1eb05e0c77e075267f4fe5816325cada878980e2
SHA256 a9b18a2a598eddf4e86bdf1dbc0bbbfd8a94803eb5f8df2bd806a515becf7e1b
SHA512 78c787acc8d9131172c50e534554f9cc953b6b7c452cfe105cd761575f40872f7a72cc2196024ca09986c104e0a27f47602f5de45bce76761ee07a96fa89f3c6

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 753eb55e0f81ffbaf6785fbac7f8aa64
SHA1 7456cb02f51e361be62e9ac60a994ee1a185edef
SHA256 37126eaa597325496a6037d79b52f3e47141b1f42410a31c680c01d857a5135c
SHA512 e405d160c420d9db4ab43f0b987eb2e4a66f432b4515e1106f26ae444e3149b6c88d2cb7ebeb9be0d217b58ce923cd9d8033bdff13ef1c9f5ac4971b8f7ff114

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 e87a8e5045bc520abcf262c55876cff8
SHA1 3f779dd5e94ef7ea5b10d72d9e4e6069ccf9dce2
SHA256 eeafc531eccf5f3d361132ffc2f3796249183f9e7cefd06b0c809fcb8f8a9956
SHA512 4650f9dc0a7db4543642445d920ced8ea73b520b9a4cb0dee58e2c8721369bccd054038f4c78bb399ee954aeda76f28ae3adf8e129a15e70aa84c183b82a44e1

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 4bf8794483d08472829e835d220a7a02
SHA1 5eeb3709c643ad12e9ab37e6a069a021f93787d1
SHA256 b61c47f70189cd4e107c840ecc59ca31b92351307eca403632dafeb5d1470e25
SHA512 c72c0b095dcdf416f5346df3abcfb0949f4752be4495a15bce14e24842eb568a7255650dc8dd91842761f3bbb81d407016a6f38921f5c7e3745c03eb33eced41

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6e5024dd35165f4af8d4af28f16a9be4
SHA1 efc0296f88333f3fae874d3bdade4870d11c7ae7
SHA256 b5b6d3e0a3916c9f1dddd82c8f4f9e4ffeb4cdd9e5685df667277d312cba6b41
SHA512 175138622ccc933654b3e0935319e40614f7b11ba22b02c6ba8ca18e78586c072429f8c3343cf65c53dddc31fa5d9330f555ae01e43142c1c27fb66312caae8a

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 380049f75e4220337763d5565f361f22
SHA1 13a0ff52112dc34e1051fec2b8687620204267fd
SHA256 6a74cda93b350c7841ae9e84c26da807b7edf4083a7ec2b632c76f7dcb2262f2
SHA512 065621417d9241c618d64e734dad8611d6abcabd639a56d4930500924b768190bd7c89c54b869e009546060b5714e5724c79259b2886212803c1ffa722038022

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 64c5cc5005a0202872df5c1bc907ea4e
SHA1 da82fc28d626db16b4d9ac86ac7a7a28066813f7
SHA256 610cd356a891f089e7ff5a48bda13924c52a3ad2fe460248661a31645f1c8bf4
SHA512 c55afced522aad92e0690280db8ab407cb9bd1cad3335a48963721488efccf16ff8aaab416bec861d2beac9091dab6be3c8c7cb55c645ebe1aaa1579bdc86fc5

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 a4da1700353125bd6438908ac2e34db5
SHA1 fe4f5731674bedcb09ce0340b9a7f9cd89a0a867
SHA256 5fe3d5f5a3fc7de6ecf7ad4cc9ac1f56db8754a3fdbf383fc59330779279ce58
SHA512 99007b555bf9975ecdad1a5e855cebf32618593a7db5206f2f3e13b1faccb612f2c6f5c9e5eb6e8e87ed1ecf2ccb1507d3678cae2c593eacc464d031cfd80928

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 b91d782cb97fd86eb137a4eac8f39566
SHA1 b46813fb7d169c859be1a4733d474b3f44321baf
SHA256 ca9770297f6d300709da3d18d967f5a3c57f77140d2689490ee5c4d46c062395
SHA512 3f15bb13093ccf066d16623b93ef79ccd90456222035dbbc22fd2c0654f8f724f70b44fc052675cc43287d90cff2c42628fe78837b0d0df59b2247797e878e91

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 79f06cb6ee4085cf7402c51d2758b3b4
SHA1 0e5011a6a50511318b363eb4641411bd4cb4e706
SHA256 729ee3d817282323601cad09308940331bc68868f38613724a38856268a965af
SHA512 d3b121a5a35ead91dbdf1259b820ec499bfc26ab35da17974d6cfe18fe357e875e89b73df973ba12a21d218ef93e2060af6a06a10c130e20c4fcc88ee27dddbb

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 001299c6cfe33aecdf801a5f340c696b
SHA1 b21c1af138ceb732cc93d133acd3be6b843e58da
SHA256 69f6e007ac58dd9912997408fe21af75a873f3061d765c946645d20965fbea83
SHA512 f8ed6d401bb27e74e8e4e9cc5539d0b1dfe40b84a6212051e857b986f3f04ab04d979fc720b4017e0e63fab884784b26f357753c365fd0b82f17bd021f19da6d

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 b00afb6f431e309f75878a59362348a1
SHA1 5a0c383b6573a0c59b40ea593f32f1f2afa2e338
SHA256 de85fda6d97e38ab1b148e2379ea0456b5049385d6d4e2ef111348f5ba456d29
SHA512 5404fcdce44521934e160bc7cfc7816ecd033da5796f72024796c90dee962face3945f2f7294cde49177cdfed63f41d7311a866c235b7eaaf4683984b0e581e8

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 aba75df714921e8b9c1731037f701e3b
SHA1 dbeed93e7835dffc1d74fed0635ca80e3f302636
SHA256 63bc60cc73b690076c4f4b657a1caf9f83011d8faeed123fa81aa8fa69c46778
SHA512 51ec289aef3a85f103d489130d67d1eb46ccac042a610d263a797dc287c14f9ceae7f8b9fb6ee7758357fa6fa30d5eb0075cc746f68fa5d7663a00aa5593b23d

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 958d07d905158574fced18d2818c634e
SHA1 a5ceacd52df9b50967143b7f9c943f34a8006400
SHA256 bf6e43aca925b383ab396aead968c1f60e9449ebc850a4df29f2671d65ba2d91
SHA512 22e390356709e6f66dc733af4fa433fc3edf18b655b8ab002e06389e2248beb9ac552300f25c160680e82150ba5c31f63bcad2526346c44cd99593a6c7e2d05a

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 346de79163614cf9914d410051405903
SHA1 1c4483ec40bd02dd39570c4a0d71e5ed19b393d4
SHA256 bf528279de744a305dc43701d8c8c009f82ee42944ecfbdcb97cfe2b0367ca8f
SHA512 a8a2ecc55d2146dd22f2e13b636e36f67df06e695e5e592841d8185867cb40e8532e3de47eb7b42ca5851d7bb68048afdadb47293a7c705e0aae0b88d06c49be

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 6b29b0deec68c1a828f6e66d61f75c9f
SHA1 35d1f610cd97398c90825fb78d6eaa4ec5f86161
SHA256 abdb7b72f678528b9d885ae40bfbf8f23c08e00d82739b629a836d3a19d4a4a7
SHA512 9ae44743424e4a2aedf9de31870381cbeedde4765e1ec777414ccbd6f6d979c4171c068786b80388c790107d434f2c847e8c85d4dedf0a0f506b0fcd2ec9df16

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 e6327fb1f9b19782e5c925428ce12c82
SHA1 432e2ad2114a2b980b3284d15c810f6ab17b6c23
SHA256 dd80a82c794597a16d4a4d706a9d26a1f2938637c21524fef6c8a34110ce2f7a
SHA512 1837eaa2dc374b56fe42c727cd6464d92b33afa181ebbf46c15821fe6203438ed2e8c7b61a3ccd91319ceeaa6e4566e658ab5f22e76cd430e47c274515ec710a

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 64419731d723ba1160669995d67cf441
SHA1 55018c472480506f6494b3dcbd81425869ddc27e
SHA256 534697ee8a53807e35171a0aa341133e8e910f55b73e0a837b3d5ee2f7221fc1
SHA512 183edf82596a24126ddf8e4b2fb3e4211b29ec3ea2b87daae4fa1c5d58f2e2315dc1d46ed50e78420dc5cbe9e4db4b2e049c4728059065ef93d6c8295c85eb56

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 aed707a9a6bc3c4792ce370c27d27e19
SHA1 51ec7462970c1a82a798d3b479df070b9eca73f7
SHA256 f895e8b93c1d3f7c0f552755a81aa011faa9b6d9c37cd88f8f4193f9ef4b71b2
SHA512 ac9dce268f1e4dc87e71a00a8497a76d9562f049b13c4fe63deaf4a8bb72d81d69ec2dfda790323db8850d7dbe056b14912fcb9b8352767e931a926d30a7dbc3

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 b29dc2270850c16173ad2d0f9184c5d3
SHA1 cbe99132c81352e5b04024bcb5519b5dceb48c33
SHA256 6a46a952ef23403bd4f5789dbda0c1304cabeafa42948d6cfafbedbc8c979347
SHA512 9e5de045c98785e532a6e03e6b09963aa38ea8bb2bc756020594f8d1dc8be5bb8d75208473129419e2003505f8761b9c2d861864f3fa14b8e6748853dd558c77

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 0320f3382602d6887982200df1bd3dd0
SHA1 ce596a0248654add87107d5216e08fadf79c5e59
SHA256 25b0c1bc25dd68423f47f5dfd6f91c57251f2be719ccb3bd5a9416d309903a5f
SHA512 95e0d0328f31816f463fac8d4426896ba09d4f08d5ec9f94407ac984dd6147b3eddac11cb62ef58d967f8203ee68282504adee8d9431d82152aabc47736363cb

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 f38cdd1b8dce8769a53412141b9917ac
SHA1 eba9a8d6094baa0179cb9477e6a0a283289aaa78
SHA256 2ae3bf64a250f13f4f1d54df493daa3569d179d007c64852d85d0d99f7d62830
SHA512 af6c5b0ad47f15b957b9358a8cb6ce58f0fd5bc1e6a3fe1776eb47fe09a35987457e82cf9d7ca458193bcaf28ec7a893a97337267e42321787c42790a71d8044

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 0bcbd694834434d88238e30ec87f70a2
SHA1 e2468bf9e9c49175e3e8d115a2133176ec0cef1e
SHA256 2321b1ae7830b0b90ad04fca2ed926e6baff7e7a9cdde31263ee3a04c285a459
SHA512 04c13be8fd0b85151db4e20f1440bb8dcdde45284cfbd9eebc6df03c5b8343c54ee0c11bb5ff17d1c928d4d36046f5987d3110406e2053eb11c5e0b59a0bc127

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 e899102fe8d6c4bef015279f29b9ea7a
SHA1 28caaf0e47482b2990eb88b9be1ad97a4200a494
SHA256 947617f0c17fcfaed29cad4d25ac666152c5ca205b5d61d8a7fe0f19e2ad8f1d
SHA512 015b0c7d7af8f4c80f3a95035c290b0add9a0b4ac6f4db93aafe26b564ecffef604377c9fe3b4f22559ff410c2570a162fe96e2ab0d5d626db516647e27d4aa0

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 38f557f1815251004d980d366230ffc6
SHA1 18e8ec089c475a48448fc12a6f6b9fddab49f14a
SHA256 448cecec19f8b1b5b549e3a9a4efcb920c20737a308b597d3ada461eaaeae28c
SHA512 c68581d6b519087f7262ebc3d107a24122a184b708017c1ddfa2733328edad2814b5c2562b60e890fc66dcd413a64be938c14abdaebece42b24d86c7412b1c9c

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 8bfcda0d5f52c7fb5cf76d6eda2f252a
SHA1 afcf87bfe3a5378cc5bb5ef3399368cdd082c35e
SHA256 a142a3fd69f7554a16576249ed2d390f325a8c23327f8f9cf5491c44054c4b37
SHA512 1c37d6b32e9ddd7c008653ae41712286d732c5eb78c4d2972cb9a14408022d2028cc86e25409547d8dd1356d239a7b683c64fe66a0041526e64a9be941cbacb7

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp

MD5 42d7af344a0ac1ef0675c46659551811
SHA1 62a1bb6d9c5498e90984d5007321b743b6da8ac0
SHA256 58ac3d5f5fbef0656e733eb24cce6ee661c47870c7dcb53f646a15b6f2503405
SHA512 048a1a0faae50e474aa5ad681c4f56b11ad0a3657ab1cb15edc3d24e22097cd040668524b12b4e2963635db4cab788d7cf0785011e9538283f09cc822288567a