Malware Analysis Report

2024-09-23 05:08

Sample ID 240613-ch532a1ald
Target 55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe
SHA256 8d2ffd0a60467546b192e6a9a734d14d2b9aa8ce26099c3d865ffffefa3666b2
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8d2ffd0a60467546b192e6a9a734d14d2b9aa8ce26099c3d865ffffefa3666b2

Threat Level: Likely malicious

The file 55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4451) files with added filename extension

Renames multiple (5073) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:05

Reported

2024-06-13 02:08

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe"

Signatures

Renames multiple (5073) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\da.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe

"_Module Docs.lnk.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe

MD5 6ff3c5853818f0ad63834a0b4142449c
SHA1 964cf01aa9a68d5150467e15f95c5a7cc5e578d0
SHA256 181cd0ab6d24ef0e37bc8e3d1fbaf6ce988ced6e930151274801802428a56957
SHA512 022b06c3dcc2d77a12cc757f650f7a576076cbf309be656321e068e992ba75fe36237b5872a200c70dcd9b65f8390d9a2f9335e17b8d3006e126c536063612fc

C:\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 26a7d4b56a73533d31f0f13e909ac07a
SHA1 dd45814232402c488ea8ab7a21b5f1fae790a797
SHA256 b62951f6ef94138cb764352cc8662d4ea9a0cbce2d60573c79e86ab23921f4df
SHA512 94884b97660aaed9c4757aa9dcc189ad966abbf26f71a9509159cdff57427b2f7529bd005888651d5cdfc4352a69fa672655e173760d637743d4aa17e6e4cadc

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 0750b98c7b640b56b0dd58768e819500
SHA1 b8f057e355f644d3f0e1bf11c03a74046b434930
SHA256 20dc52461763045b6acb51245a22c2c50e60be641d8cf406cb2966c77e08ce18
SHA512 b0900a2276a8e4a33f1030a22878a5d970c4d8276c8969e870c5a4d469c8932ed0eef5c50af100429d1f0ebfa0b49a9cae8277bfaa78d439e6a4cb1eca78067e

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 1b7fb21af10ccfe71f82b167387a82d6
SHA1 c3f8657a651528b69662f24440d65011b2ef1111
SHA256 e956b98338281cf895d07080fc0f3d4b1e2dcf9671f37f51ff0ddc2e857aafd7
SHA512 047b093d95413f49a7a965fe09571e61db1bb9b4c701b6381acc266b8296fdb6c22a522b098f563569db7c860aa5f61988e8281cd59a24f71f2b18e505ab1f0f

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 14dd9c20f12bd90dcded3800ccfa5a05
SHA1 d4a00f300c220d7da9e843ee019dc3942a3b371e
SHA256 fe0d1b69b5c907890388c0a4236cddc46334d4d21367d57f1248b05375f726d0
SHA512 4927374a6313e162fcdb2caa2449d7daaf155e8da9c7657ec2ecb172a6a34a32bdaeb320aeff55f08e408ca731c87f24ac7f4cb07c1510d8a80bb2f992a07860

C:\Program Files\7-Zip\7z.dll.tmp

MD5 261317841d3292ac46f6b86e478b01fd
SHA1 d7983dfd362b1d140f347261cc7fc179cf3afaa3
SHA256 4703753d33ea5f5520f5abc9ba64ad988bccc5c6f4d244493c8af480aa506e8b
SHA512 854aa700174f3e41c98c52bb7744f20a87d6a22b0af684627585671e143c725b0eac3ac4c8f34c39740fbf832d11516dbcbd0c4e96e1081cbdaaea97a5211a67

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 cf50c119b16a9729a321ea0a5d910f0d
SHA1 a8b47e9b353191327bcc697717de1dfca6282540
SHA256 4310fc5388ff286a0af4db3fe1b3d4416297ff24974dff14a5049f455326c90e
SHA512 aa9854f6205acbf32cc33148a0139d434557ce417b80ea9e18c00a297a2ec3d96723a602c4702d58f8c4ba3c41361d14339eb3f2fcc5cf619c152baf5aab92db

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 2f958d35a70561bd96e15a115cc9b949
SHA1 6bfab5ebf1c9e3f26a7c3eddccc9e2a9993195e4
SHA256 b6220fb0f8a016507f4d265f01c8981c89fd51710de5fb81ea9f3053d046a2aa
SHA512 b4e18e3bed03b303589312928b1e44d4a593fa2882eff81ffd6a0c02c760eaef5996c3bfccf88389784cd065ab605147107cd8c08b345b728e55f48a377788a1

C:\Program Files\7-Zip\descript.ion.tmp

MD5 8becf70de0f5e434c9b849443b915b05
SHA1 57ea76e226ad7494a2e44b9a891c36905735ffe3
SHA256 ed9b2aebf0a2fefb618539ed9dbf680f13ec5dff917f92724eeb8821e5d2914c
SHA512 05f81ffa4a9e31ec87882ee83b94044451b7275f8a4a6f938d6d6d412e2dbc71863baab1a2ecf4c60e272b93a72a40e571ba014e268625f9e8982f89ee78bcd4

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 2287ddbc9bf7b280843a63b4ba50c323
SHA1 14a8fc81423158840bae7b47275d98d04373ec9d
SHA256 4d660c0dc3ea3bf3c34ed35d44f5402eeeb9e05a2d76e8e36a64e56863820c9c
SHA512 e4bdebf9ef2929926a0f56775105f5bb5a360fcf11c687de48eae008ef4c9a280f17ecc1c224d4b8baec072ceb83c2f759c27354072d716740d110a98cb95acb

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 366c073b7d6fabc488e8da061d57f1bd
SHA1 35de6f490240633bf475867fadc1d50c1930f4d1
SHA256 5f0bf8ad3322b90aae98085805e67a8f8f715384dff90b524355cda5096579e8
SHA512 401fb6d71ab8b541fb7fe69fbbaeefd745c34f2809662090abcd94ad0e747402ff03ee4890cb5621a0697d06faf84af1275b368dc342cdd0b29460a7645b1589

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 b870299fff6675e0b0a0e464e400b8b8
SHA1 01a9044dbdad7e5778b730538abcd14bb8cf9396
SHA256 da2fd313b40ce494a6ac151a24399333d5a16f7bff0250704fd1065af33451e3
SHA512 5e072aa4b9e467b0bca9c541d2c58fdbd176c5d0ba3483fc0d434ced901829397dd5d9e43cd15bbcb05fa38a8e7875848772d482bcd576b992b624b91f9e3b9b

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 55be0d371a0a66d72176b011dee040a4
SHA1 d7f85e69c3e260b292b59b60def12890291bcf8f
SHA256 d26e2517fc5d69a4d1874d05ffee8c31ce266efc1bb685da6f8cd883a4d77290
SHA512 a6870f5ef38f26e628048024eb113756c0c59ab803a406d209b930a0d00f3618482e2511eabc295f89b6fbfa6254ca699c295a00679d18a4047f176ecbac6b8e

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 e9682653de310823f8b1bd3c4597b630
SHA1 b03e14e33a0d81446a438af8b29d02318cc46446
SHA256 771c26ae45870e1f6d7106f5e47d94effea02b16b94e54349ccc4b11f15de1ba
SHA512 33de6d4f6aff9d2ea30e060c562e9565ec0315bfb0255e9dd6a7ac81d36b81c8c70c5cb4c7616e144e97e6047f0ca152aa3ab20be5e212db2596aa1c8e02a04c

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 77243a256574884a46c157c9e7ffa3c3
SHA1 199d09b67d43b73d78bc5d3c40bc86ae2a4f4f88
SHA256 cc0a454b99218add9596f27cd031648f7b7a6f6ce5b73f190307878f0381da80
SHA512 6479a7d8eb823f107961f4c1519953cfa98d6c2304fdfb745ce0784ed3939c57b97c7adf179f2c872e43cb8177ce0df3bd21db92205ba51651c906220277aac0

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 c802c854d1fca501020dc36659ae7864
SHA1 61082267fa4cf065c731a261febced0379bdf453
SHA256 db1afe6fc6f4c1f67647ac52e5d79760a58633e7f7b606aa7cecd6975ed42dc7
SHA512 f5727e6c41e7c9551833347aa1a2cf52aa05d049927dc9f34519beb0b75fc65011fabc3759e0aa3f61877e46f143501891c46d396e7722dac92e7342913539ad

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 e6532e4b625b91a144e70d6653774556
SHA1 ade94b023e88d21dd0fa2c8eac1483472340b103
SHA256 8df65abfab0cec43584d794b5b6875ebe4f88c90054e8b45614d2763fa93c919
SHA512 c2533c0e6b94c5961b8289ef7d611aced0a4507c9071d8f81e2fa8dfdfdc56dcb258b079bd0869c66515b7c2cbd1a0fe266742939ced6330557099e00dc19de9

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 6606999f76fbf0a27075ce224d4f72f0
SHA1 f34a3104309d2969fe5b4c9b15039b09419f80dc
SHA256 a42e8ac0fa81238ac81a889c563d7ab656fe17a6118c0cf168ca0f103b2a0ceb
SHA512 3890548526804b595a0e9c6c4f073040213748dec35d3a5b7e8777f152b512556eee53c47a70e77ee874aafe23eeca614c0fbce1737789399a27580e8de02bbb

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 676a771d53332f05e68c2e2a72a48729
SHA1 8a4d64d1501e5554fcdeda7f9893bf59cf92d39c
SHA256 8485b25893a2d9bece651f23fc12fb5f3f629946faddd903908c0d7c789238b5
SHA512 2b87d8683582ed1028736582b57438fb9aaff991b53a9f295c9f480c7019b5b26db195e4577d22bed99174ddf0ae0c6cdac8087078b0903c0999e04d0dbfca4c

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 87ea9bc522e11647f6738fc66df8cb3b
SHA1 26eacb02639c75992a8ec91367028d9c14d373fb
SHA256 b6fbc90bd6082077d2f6be3c403420aeec1e6e5b995d92502db535b5503edb41
SHA512 25e3da2f8be2dda1bb101eff39e73c60783f935f5c6d2adb2cf3ed576e2129f2a6039acc8ca2f6fc9bd62aa4a2ec062cfed3eb71e5200193f3e82e9ce011db26

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 76a8cb03908e0e6688bd0fb724b5008b
SHA1 053436b586cbd374e94b5925ba84d5c470c0775a
SHA256 a1f61ae891eece6cd4f1eb4c56300813e5146e0c241f1cba74ed303b6b7386d0
SHA512 acb29d641ed717ac7f9f8cea884092c9ff953188f86f9f6d096bbe036fc889347dcb97c5b4ca5d9da3b8248128748ac536a546de7da3bb96aebd4dc22d727eac

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 ea4ce04b5ddb8bf4bc182d14a9b542e8
SHA1 a344c204b453965d9663ea7d9c5504c223144bec
SHA256 5705919409170736568ffc593fdde72f4d6581151b49d21eca47ed08fa652a8c
SHA512 a3661ea932de0872587faa1c23524d8e5ff4168380919d4e0331f1322160e8485cc31b981bc1a06e638abc29b33e242121956d31fec3923c0b54c94c687bc177

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 858f79ca061c6ba3df07fc59cecf98eb
SHA1 b1f85315ea4d87efeefeafe22d5ba8574b2d7737
SHA256 f6ff1f84eb288ba347f87e83c2106b5edc3c889bca576ed05739f5cadab65b0d
SHA512 108ed3b151e9524f40d64f751e4d837b2ffe585bdd6de29b11c4120c6e6a171f3788c2ea75b655d128063a25086fa7b98d37a310afc2b275fbfd09b9e1f2d99f

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 b8b77d394b93a38862cb1b7915060776
SHA1 56d5df0556b3f577f80e0cd4fcf48242c329e480
SHA256 7e19b0d4f546dd0bd0605b4e5756934554dc815c93faaf9e689d7abebeab6ac4
SHA512 fab1a1fbc21100ab887689191c3922057af95df6fbcc977461e95febe4abf02f41e8a0b7ca7e2bb55f5505ac5e2009470d497826c59b58a9ce9b6152aca36e31

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 a26ad444c3b2a7b27b79517e8cf3b536
SHA1 dd8963b3e18ec63a1f6ce10f7d18e402637d51c8
SHA256 0ec114358480e8830bc88b59ee99360e62a3457cae821820188eabff383fd7a3
SHA512 565353f02e47b71a3dfb6036dd1a7dd7e8f48ae0d7dc1bf6ea43e604611739817ebd9bc332645847ee929f8d3d7b53d3cff22dee7c194e2ef6f1d6111cc9c563

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 391427c0af1100c6b9476e5f2a5205a0
SHA1 8f67ba814a3d9c612ba5372ca0bb6988b972ccf6
SHA256 c19d152676462824b9eb1c9d0d136e4d451e10e73469576b2a6ad28ef0c4a623
SHA512 d330031f9d1bda6e32aa2ddde0482d79ef8a06f2482ef106927c91c28e39ce0681fbbec63386749a0feed6788794ec28e299baf9cd22f18ce78f1ee01eb0a7ed

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 0780e4b765aa3506feeb280eb50c00a8
SHA1 cb0e14b12dacd8eab75bcfb6a391bd2eb5601049
SHA256 f2dc9e76d85ffc11c7164ab45af32823d8584ceeb7204ad429918c7d9331dc1b
SHA512 1963887d2589cf7b086ac3b82efa8cd6133ad53244097e8931dc0f7d06069b6cb334c1f04d89230ad0e6d74881af3b365dbff59548c430a83c160f370556e239

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 a2e16e5d3d9e18993018c07bd6580bf7
SHA1 f2ee506036ddcb9fe539a3e8186773f0c17783eb
SHA256 9deb54859dcb71a1b0b6acbae6ffe8358f6bc50bb4085a032d4f721851d31e77
SHA512 8dadaa8b552fdf808a57c9418c5b4a03db99419c75fbc28e4be8977e5cd05f330c407d933148ca315b64f3d1eb198657b4b56bc8a3b0f0f4223bf12100fce5c3

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 ccf6dd6a147355b74652c6bec425dcce
SHA1 9586f80eaf9fbde4bc00207d6f2d505bcbb94a88
SHA256 9da45300486d21670104eda1fc385803f387f0688d0416d74d67c9d54904861e
SHA512 c3ff592ecc713c59eba78b50ecdf5759006fee880b8fbd4fe60f76d33459df46658a8ee679dae81c08463678c1fd791d0e605230c08a9b95bf66348ea32e2fda

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 65e7c8899801382b18ab8b354692ce84
SHA1 bf75d0fbeb35bdfcfdc2012a8a7021143155f742
SHA256 32cf4131afb2bd429def9947ac8ee2b242aa33d425a71c576dee102219a1c1f5
SHA512 62fe24ca1f4e03accb8c358d54a98a3ba73f1e28143a9c544df889a741217c0100220e260aa57b49759a7abd901756ca4344958d9efeae9c762920d12869b02b

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 7fcf92e5f4cc00e5bd33c42688cdf52a
SHA1 11aa1fb8483f911dbe4ed3551710d9b18a983efc
SHA256 e6016dc91ca42943293dae8b7cc35a80530781a57aff270ecfe70da9951a5407
SHA512 44d299e133f7dd0d489d600546a337d23d43f668e63ac09af8071e5659c892d94d87a83aa02a623935a6795e89b7f10406b39fef2ffb1a40a2d6b9a9c14c674a

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 47e8bcc295eddeaac7999b501b666602
SHA1 30daa8ece2fe345a3674581cbb9e842d4afa5cc5
SHA256 5f281127b0b10de72ead684e81f8f0dda6065c92a464348272d7405006f464b1
SHA512 307636ce764179820f42ad039674d3f85f1a43b88f3705935f8a8fe69079c117d086dec1492a751fb72da801d9c770c10947be0f3f4494d88815307061eb2713

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 cd7c819481711a7bf0ca2ef19eb1964e
SHA1 e9b0b3ebd3e4a38abcf5c3f56886fa0ee41011fe
SHA256 94120aa51538034e5e627efbb5a64529f91105045f92886e8df1524e6cb03b88
SHA512 a1b1b8c622ba675c2f2f6d43137a5b0a63f575342684b48185fe95114c7f3426d3b3f1a5312b0f60f46c5a3f2edc0b9caeae9c70877d0f8fe9b7a5463613888d

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 e2e68adb14e2be81cf15e97881c5b592
SHA1 d40d30d49b6f3c60e05128adc3413b99ee4d5d1e
SHA256 a8fc6274f9e7daacd5b1454dad7b155656bf35581a4f5d2236cf77b49187f748
SHA512 fd7c756d518e2c3b2598e354b427aff9faa39cd6b0cf8b1052d75c31cc8a5bbf4540a1c19ed2f9e4482ce896c875ef0573c9efc7acae93b347d067e6ac3b2534

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 94fcf985a57e721f9f5aaba9180f4699
SHA1 cdfc0d4e6ca367fcdd52ffde278b0161fc9661cc
SHA256 ee59f12893fb3d5247b29caa08e405d6daa70be15935205be455a764d610bd40
SHA512 3386ffb49726f990c2cb18c536868837b64a6c65578ff00fa3074356b654a0ee49f274a9fa5db8518f71141e7edc66728f047933962f75d644e8c3df49a6e115

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 392481dddd9c6f554e152e9836264d72
SHA1 6fdaeedbac1be740d5241af14339f5c8b814998d
SHA256 a3f5b14177a3e8e948534b5f11093b55bb5f86fee271cd154e08483673600647
SHA512 26823a503190de4d5ada7e35583453afb56cc3516464a8a9222719e995be3873971c61b698e7ff74537797a23bffef243ab1ded2a7c53ed70005644f10d1d22c

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 b12037ba996cd1a2a5931e81a6f80749
SHA1 82c9d205fb315b861bb0e7c0f1cf0d4af5739b3c
SHA256 266b57c5ef519aa6e8a872d250ece2f35734d9ea3b4f5e8feb3e4bbe7fc5b8f4
SHA512 90c957001f7cd29268c82345dd2c8e56cbf10f1a6144d6b5fd15c7e16de5c95586f6d2e041283c813f0c4eb40ab083444a610faec3c610d948d79bc5a2ae3147

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 8d52992bdf78dfa8820545f3fb88c8e9
SHA1 519c8754d9749c3aae602b34b729a6b097824879
SHA256 b01d1042f79dff4398935c483669f285493921400537af9f5c45e5b70f62102c
SHA512 d2ee4d554d9d1ff2a5bf7aa3e239afc9796cb4f50f8f019566a14bffb1ebd5338bda6fea918555e52725b3be4055ed74dff33bb6a4e980cd45ae347c47bf22fc

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 440280aedf6d0d26c325eabf190c23a4
SHA1 5a14a155a312e9a72c7348d18108a8b625863fb0
SHA256 e3c5aee1832520747bbd35b8f271a84decf7e8d82008819fee105afa64d2e51f
SHA512 4c44a26fada04a30fb64b7084ac6895912c96c24eee0f969c70c9c93a6db8d0af07f9f6ca7092d9458a4dae7e8bef43f1b336f264088c1a6d3af582653f30463

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 8dd94fd9f8c502b396fa400cf06ff7ae
SHA1 2faa80f4acbaf58f8df6822301a3e7415362a515
SHA256 f392dc953d883a0c2a3cc514dfa217bf8ac1b3110483a3db7dd5990ec3d03c26
SHA512 8a1cf3f97b5bc65689265a51058ffa465762d8afb46fc35e93dc2b4e08a0369ed930801e8ae01a2da40bf34de4ce6ed958804d4ee9ebc1a70f561c31c4b68e11

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 0f7a577c326ab9f992d32b269cf9f6a1
SHA1 38c7cbbbe4a791d661099736058eda20254200e5
SHA256 fb317e189b69d9b677413fc96e5e5e96a414e4a4c70cb95128d2c4aac700c208
SHA512 4ca44821299fdc20924968d6dbb0508eaf601ed5149af5f51ef9a6b7daf2109ac0db805f9ff214b0eb7b03eecc7a7aaded4698b210a67d7ac2d9d2ec7551519e

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 95e1fbf044e4fb06624ac6e16ffa50ab
SHA1 e229a40789e9a07463ffe7b8a715a5a80bf29b42
SHA256 124098b03e4d71e798f4ce3932b861552aaace41fd6212fe67f80534a07bf4f0
SHA512 245655e1a27247336dca1d59402a3cff248f1abdbaccebf5a2e2f98c196d61e596ba63713e27f4821896c2a78f8303df58c7908da1459484871cad5eaac45001

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 a4d7ebcb354ba33d6a5189249ab78c60
SHA1 ea5983ea837952240435350aea44b74cc81a4704
SHA256 5dcc4cb2a4c1bdb31f14aa9d082f44a0c0e1d250d108ed8c4fb4a987e8de9dcd
SHA512 ee3088ddb64d99ef3f5617cc565d154ff757a8bb880b5345d21023717dfd4d8a8718aead398694b41b7bac615bafa4005728a721a94c2308762aaced373c5f69

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 a8f1692ea7996cc1a20c1aad0f674cdf
SHA1 8e63bc80f699d3cc5657ec000fe6299bef5d77d6
SHA256 bdb265d4be32d2dfcd49c15b52190b8b92b188ca3e943dd85d7d48a186f2e49a
SHA512 a5e056794422f5ea0294bde080b3af7244703108099f3c5b3b797893df636b0a98a06265ce156fe563278189bcbaffeb35e119d7d240f31f2094abef98d5288d

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 edc6f8f27545906dc79159492bab8e74
SHA1 4555ce12bad79cba93d1e2e078d96237fa3f7854
SHA256 986eb260d361324f326dc37330cedc2e4c037b3439044ba42d7e8b1fa49615cb
SHA512 c27b7537875dcffcab4666369afeb9d2c0b46045d357bc1bda98e3a9c25bb5660da94421a5a99e3def3c67240a7a52c01878c7591f24f1c53e58522260f6fed4

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 4c89f95802f4feef1395ca1972e76fd4
SHA1 2e2deabba405f3bdd40fb65246908f352e9d398f
SHA256 3cf2a1a946f77f0bc1f826a672a97ed418d04130754b3ffbee0f61eb8e25b77b
SHA512 f8da154e74244ea9c776b56c6d0896383a576360e22348fabcc0cd4e375588863420aee2e0c30d1048c8c7b967617b35b17df696f52635aa6c07373f62eab94f

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 2c1f387f10bb9e332a8a538a9362e9d4
SHA1 72d1325c5cff604db3ae70d1b7c964f016ec896f
SHA256 1b7bacaeaa739205c51f5418d58a8cad9c0a99ec2b01b2ad3f2fef69c8aea8ec
SHA512 7294099330b5d7a86ccdb92ebeadc69319b856365df54552d7166bcb532a56ba6ba1bcae3302ab482f25772d3a96801bc2ede842dfdf20b3a215d1f9152b984d

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 34e82ab6108bb9d62ef9da44a59be13e
SHA1 d5b9e056a7b8f7caf2c99bebf552a0efcc809bf3
SHA256 f072e21d0794d04c28b45ec5ab3643408f52646988e5e798655f28213ff30196
SHA512 bcc8c9742686f48c9565ce8c8b5e47008cd10fdd692c78ff1bcc4dc5d55c99a0f1cd2f0f16e190c167ab962a0335c8ca24256df29476024021e923f02e8e529e

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 1d891fb5f3a279345fc84df2ca43941f
SHA1 7311c3ddcec606f81419b119e9a08a81e8df2d19
SHA256 0d52a34706b90d9a2be8ef0bfce702fce8232d4be5f2261192738e3e22e049b0
SHA512 a5988523bd107e2770047b913e3d6dde3db86e2170d40a5613a6639b1e0fa6002b19a4521b92bfc4d1266fceaa79910f5d0462c78fae901c3e759d2de16c1292

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 acba3183003bf322810268121cf55c72
SHA1 7bc3699024bbe095011439e0a3dc8b8db1f3bfdb
SHA256 efb271ede870dab707143c76289b7d778427dc44cb14b8fe47d70c8cffb08fe9
SHA512 685d293257bcbc1840baba1ec6e76ceb15af7f69ba148d7902be67b514b0314801b84b4222679bb60075500619420c807a8023fc237edf8686d8a1941dc2530a

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 384df964a55a3ea7cb9017f620718b15
SHA1 9de0682864d6bc0420ad2f6127a6ba4bd893b7be
SHA256 a35ccd233ccdfe2878db06b153b2e60cc80d7c8761634921c4e45979aaaa579e
SHA512 54f8123d4bb60df9ab71440bf74d43fb254c58baf6af49b8544eb06cf73fdcec942fac3231fbd1aaf21e5c9cbf4d98a70edee495b3d04490c5d8abd13fe7b2cc

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 cef25d5e9763aff1c30f4143e0efa122
SHA1 ec9db38f74d8c9e9e5db98023d5f80aca1cb88a5
SHA256 329ed99ec4863f782f6f66b3dece6f40bea3930d2a1a6722cd5fb36206f28bda
SHA512 fa30032b224ba75d7716bb3797a9a21e55efffa7a1c8f7d30ca93d695d26ae3c3c25aef26593d1485ba0c72cf43412c7cc4d1f1e3e174f800eb71f0039f6bfae

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 dbcd3e741140fb94f341bd34434708fd
SHA1 c7af95ca6198e8764e5688b51f4e719cf3a633c5
SHA256 abb6d3b32f0511198d7f2c50166751594744af74696c81048c1f0f323f007ff7
SHA512 da69616d170aa694aa4be5e5318c052b48092fcd7917720fb7efe995e1e213dd8c2a1975808d53b3c5c4ab67d50c3f4c2227bb5cbd5d32e8e64cb0e56ffc1db9

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 54e9a4132b33f9191e903df3f4b70be9
SHA1 b5834f7bc6e07338f28520622d6de5a370480bbe
SHA256 db60c7574b476cbd0a44c2cd153ccf26bccf07da54bd9e75c9630f958097f8cb
SHA512 64212b2c7dfa49383a36fe82fbb4b76c72147a24c66e7f8d7edd18f771be85f85e974660c581ad11f0d733d2ca1a78edd00d7f1eb54f007c7da93b1644f6cf34

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 517a86cec3a0f8272a4552bea979fa0c
SHA1 7de95c868e89faa5e5684149b11bf3a6fd06c240
SHA256 f9bd08222147c42841850f43158b09ff0683e08993a1ed6497c4899a89e18490
SHA512 f040e8653560d94b680150478f8b62f61ea6af50db0db0c800f85fe336e747128b7616429da7b437237e80aa24cd6d49875085ae94fb69fcabdf38376922f056

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 179128dc008bcb0faff0b8ae505b7ac9
SHA1 05a443765d0331d604df02b1f4f47dce73a05d1d
SHA256 b117816702cd65dd0b0f0059e415cb7bb7abff7f66736bd7fab86f4d865d4653
SHA512 0a783e42f8902ffe5a6d189c42f7bba87dcb07091bc472f9586cae7a0174dc15bf3347203c18bf0736cd111d8302df53e02f5b11e8be34e4ac82e4495f37996b

C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp

MD5 59183fbbab820e4cf276b06804e9a8c0
SHA1 ddc7a505cceebc92214850d24866c88467f0035c
SHA256 035eb9f58b317e3a3eb1d5c4d5fe67b0d748f0c90138921ab32f5da7e33f3abe
SHA512 5f1dfc2474ac0f3c7204fccec895f5bba5d3983780a76e8c68f190b7850d2edc5997f31ad651551fb5ded6c195e1335929449fecc47394b22b53c51139f5fee7

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:05

Reported

2024-06-13 02:08

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe"

Signatures

Renames multiple (4451) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\charsets.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jre7\bin\pack200.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\55e1efed695b6feac51297b7270da840_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe

"_Module Docs.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_Module Docs.lnk.exe

MD5 6ff3c5853818f0ad63834a0b4142449c
SHA1 964cf01aa9a68d5150467e15f95c5a7cc5e578d0
SHA256 181cd0ab6d24ef0e37bc8e3d1fbaf6ce988ced6e930151274801802428a56957
SHA512 022b06c3dcc2d77a12cc757f650f7a576076cbf309be656321e068e992ba75fe36237b5872a200c70dcd9b65f8390d9a2f9335e17b8d3006e126c536063612fc

\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.tmp

MD5 1615e58854a111b5196f1e297d69ef07
SHA1 4f77523a92e0cf63decd27b77eb8b38672d951df
SHA256 baac3f6f9e291b77ed897316a7e4f45ae612060553319e295f2b0300ba265ea5
SHA512 18a99ba7662535b7071152975221dba98ab0de09ff83f992d0cd6c6f6497ec8e605466d4cf2be705c277c7e39f90f1d84fc38dcd7fe7bde760a4dc28d2941386

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.exe.tmp

MD5 5a12f12a889e1fb454026e73f7c87ec3
SHA1 66d8d01361f7494f8ce3b2ffa5e81abed45bca64
SHA256 6da2ce0a58e3ca28f1e5d51e100488372c56afe4522a6bfc408f333836fc4a7d
SHA512 ff063dd5ee1d118a219469c5758fa69e5b4cc15af29d6c2b95ee1cbd18b89600077c70c3d4f893d631dafad351be3a83f2b499ed69c3f9977a70c120ce5814bd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 a4026f61308c13039371d8b99ba1c309
SHA1 2d29f279f2d8a811eaf56db7dba731f51743bf20
SHA256 f398baef5dcd30420bc4397fb5125deed33512824c26a2c0ec3503e20ee55cb0
SHA512 5fd2462dd6e839ff66974d4aa02f87862b790487930e194430916374b068db88bc12f9a6e7e73f11685c97b1c2b594fe4c51ffbee6ae914b0fa890e49be1ead7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 21737f41bcde8a9ffab8e7dd0ba3fcb0
SHA1 2d835b0903af867d08dd9a4b67f71d59033fecbf
SHA256 3912fc1e3d84c9b07529da83d46a100037822cf17f1971206a2aca2b5dd518e2
SHA512 00e48212b5b6e5dfb7abb33eadf27b0cc7711ec4fc7fd656c03631b6ebbdc34a27b78e6839f91bcdc79b8388a9f6cea47a82e3821e47b73f15026a66e2e57299

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 72b9ed2de1b01b06a801e1e85e4bde5b
SHA1 a1f71ebfe8144a5f69a1b400dcd92d7679438402
SHA256 a7092c85e1c70aa02e769a4561d708c7a9b00a7614043095750623db3c9ce68f
SHA512 70c32debaf6189f767216e67a20b31048d145c5831abb070b3d9a971426d591051ec505bee1992fc75fc16733d63461c0fdc1f7100329120cd7092027076cc30

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 677d06b79ea1516b678941025b832562
SHA1 da10f204b64d8c850ff3e557fb6609d723973462
SHA256 b3317b9711ee08408bad1159b4c9e6fa77bf07f7bb2393c618fa85d91753bfcd
SHA512 1ef1e232f49ce898e14d13adcfacf33f8253fae906b03b3b702eb9e58c6d9b097be59e80547f80185634db6bcef24e2baa4ea55d606a700c3c2a7e5bf799ff8e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 83a32dc39ed90c7c765321d00ad385c0
SHA1 dbb7d26b96eb12a7a638d56c6709e871c60a4bab
SHA256 cf9b525b7ec79fb3bd3a7467901479c0600110e9b187f0394a2981011f3cccf5
SHA512 ae8a27c1ce9b3525c01331fd76516988351e46fe5eb1d6e2ead8166076ac74629629ae232889a19c2759e7b7318d871b48456d5de62d7fa4a438dbb5d6ea1e69

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 f2aa4e76e3a5f19051d4fe7132fb590c
SHA1 06143d5b528b4a8eeb16e3a86aba56654aa6189d
SHA256 c1bdb20c58ff5cd2e6998eddf351d5b05ee21d6d5df4b4b5a6e1880d305e911f
SHA512 f42f26992e67b03c29ed0b5f4647cd3aeee7d48e9155fcd057d057455fa8c499009f6a4df9646a1f88d25e3430412ff44e966b947af5d9a35323c9f33ed3f610

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 18afc8f8131b1ba056a1d07c88a1da30
SHA1 7af4d8fd8f33e7ecba1b86926e934aec66246e26
SHA256 9cc45737329a1f3028ead5da91d869cd509f655ff8630b53cdbe27b62fe6e798
SHA512 889dfcc1016071f7daba677082712733f1a585f8a17e0489b3847677450b131ad2503e89b347a49025affe4673ac9491e33dbdc0e050c340dc419274d8ac8ed6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 99033b5a8a653a2d9c9394f9a30f48e3
SHA1 37708043ec4f1571184a586fd20ace38f61e04fc
SHA256 acd571bdca8bda7cc7a4ce8427f3b37f4422d71063a872fb249252e8415ada4c
SHA512 a808a19c868321c160a3b7253f31b01d7ec2816d55a662e31786659f52d19283d0a6a10a8dac0303161759df77e95846618069a0306b99a0dc0931bdf9c30fe7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 5cb658791ea2091443846cab5361d009
SHA1 6c275015418de1253775575e717a76ceee18b266
SHA256 79ae21d3f72927b930f6de569788b2a0dbb82087b26bfe95895ee4c33a7eb6ca
SHA512 9134ae7105d872b4809d930a96a887837d137cb0b10a2b8a218a91b92abb6af5e09b66de13e6d9419b1e77ab8d14e0d9028b1934c2f9e6cb26f9c1c360c3847c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 14f597b4e542bf14882fc0fe45d097af
SHA1 d2c431fcba6099d17ede02ac1e7ad1864eb0d991
SHA256 66e31fd5874bdf9853b9805184ec021a7ecf07492fcfcd3b281c551d00bcf93e
SHA512 34b830cf75297fadcd0d485b5a8d218aa3da72889a0b4caafc37ede64f8acf51fe14fdaa2429bdee63dacff204352dc2870f8c9d6bd6f7f824bc91cf11444361

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 ec04ae7e16ed12c4e92dcb746b9fbfdb
SHA1 06cdd5fd8c9558ce981b68692a329b47e5831181
SHA256 866c8e015f078e7388778885892f21cb45808d404445e67a932226dcbad54f9c
SHA512 14b7c2d2986df80b29afc418143f8a569fb03acd3075ab321b8057163493546313908cbbdbf2adcdcda1b9bb0ee39f19468d89e28c2eb7a2a0f22da183327991

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 61637c8a30576f46eefde558890a07a2
SHA1 39a0d3045e2c5d58759562444aedc7f32868e2b4
SHA256 08f64b0ee12ea18c2f154cff26b349bb486b9fff65357795c4459c340595b509
SHA512 7a7bbd4edfb27f63cc7548dc8a7b8a1116d1219dbbea5053b9af04126b2a86badd415ce10d46eb9386d94eaea0a418d3183f216859bf4aaca7a0a59375adcc02

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 cdd21f456e8c501e2368545adc312416
SHA1 99423b494ef964139fb377335e3bef04de504bb3
SHA256 d87891c80b19cba1221f1539b8b801dccf3b3b38c828e91330ee5f0291b5f07d
SHA512 a7dd9cd1bdcaa19ac8e33dff4760329758f928690b48be5e2c1f4e8edd7648219a4b91c7a7cab352c68651b35009b59d80bba616a4b6c0cdf1dbe0883af60788

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 e7a0381b8299f3e1a9bcaeefc46e08ff
SHA1 efeb46c729b52506ed3cd71454d636862ba63445
SHA256 d268005063b33696ae5966779b8b00245ed6e5ea455f67381da053da306dc77f
SHA512 0579888d633a848c78f1f720b72900fd81e049d2105ff3efa6f9c1d91ed0d35d71672ba1b6718e36bb6f6f209f5ad6bcec5f81c331538bafa3daaa789e6cc233

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 c50e5dd428455f672612e2e1c3b2924d
SHA1 ac7ac457a98ca6fb4fc8ae2a1e16a40c0cc2946c
SHA256 88c0341dbf31da20a34ce987122869a1ecacd3bf2774362eea8dd3aaee48e0fd
SHA512 69d44664a7b7c71e98d9ecc6395d935e4e9cd4b37492f17b09538bc00eb92a3e39267f4f4488b2b22f836e019dff7bb9ddd2976b6c70d66b58a69c5e4e0527b2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 bae9392d864fb117a4a262f03bc1a0d2
SHA1 49959b301fbf7da9543e0ae4d8eb87829fbd6904
SHA256 2a68638fcba4cb06f16d2bbf5a04c4be3b984375659d592632d743d8ba4f8aeb
SHA512 bb4106cad4c6301a84f64177c302ce6843aed603d0b17299d39e863279490923641f52ad510a3d4b32abd8f528f521b77c4c44940d0d8c9e243b0bc586f289f5

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 c693358e186ef83dadddc73b6d5fd9ab
SHA1 8dda3a09e557a840f774f79235fcdf668e5ce985
SHA256 b436f38a6e1ff9f38f08692b8af82fd080839b110c5c076a70dca245f092e341
SHA512 4b702b53eccd70bbe573a116cfcf98d8a64b4911faa5177e0f9173f3c79104448f0a46056c7a3f9f7932a1df52f1395ab878fbeec1bb799b162684c73c4a88d0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 3f9ae8d4a456945814d9ee7234bbf666
SHA1 f531f7f80c866321c02c478d3e93cd421d07b0c9
SHA256 f8f0d9d6065f042d021ee3ce9127f19f4a9a7afb42e3e635821640b147562d0f
SHA512 786cfc2597237d4d5c4837dc1876bc755a4af2b49896349434636b164f8e12b74add399a52104dabe1f72abb457eeada7a19e262aef8296c27386447a6455901

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 94693e8141cf20b90bb3d33685168f79
SHA1 9a29617761ff892703077393d81b08b65424aa6b
SHA256 890eb7f246be9612da98ca857b2d0141c1708310b8bac8208ca2d3fa3850435e
SHA512 3cc5606ff8174235e98d599e564ae57e7414978eb41e3a7f393e5b02b32b71815c5b2569f0d85738e607249cf8efda8154c50a4edc911504186be5d846514846

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 a65be1ba2b2e37b058208b77f77a70d3
SHA1 7be8b7e9dbd53956b9ee374797f912b47d63e0d5
SHA256 ece29677e90b4f793f4c6d19ba034520b77b1ea2f8b00d19517ff3ea8db4286c
SHA512 d2d171430c32ae68cc5b73ffd31441ad1842deb678b35c401b8b83930b8e6be42485befe12c8dc8fce7c47a41a060f181dcd3027840259e30d75401782e84317

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 2442a6e963740d970258a17a41f0f25c
SHA1 3ad5cf0f932620322a1e97ec68944a53126a1f04
SHA256 1a67d1cc12be243089402234f75101913aa42a275fd9359936bbdf53b81cb33c
SHA512 bb52d540f1e80e1c6ada0e710b23cbcd4b7035ba7dd1711626e26dcad7152959db182dad526703804cb0a039b9a3ac9a2676b480ee66360709a0e2e3c65bec5f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 0d16cc5667ebafc829123eb9bd884cf3
SHA1 169ff8fa189d8801ab60e43f090a0d7eee224d7c
SHA256 6ba9ddce7d187a61c8e6db646f97ac8a63f1575536542dec0d889b702a84f048
SHA512 c79cc833052089ad3d167cf0a0ba9874efcdc74d4720439f054e69d8e1f6b8798ccd8c430f80998690d747fc931882198614e3538bd3fb9002abf6287648a6a0

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 9d1ca9d257f400c267353cfdd7105d7f
SHA1 b8e841398a28225fd703a065f4814e0584f0f04e
SHA256 47f2b16ad9859880e6ca96480f9a1d8ae98a8e2338ff6220196d149b0c4ece57
SHA512 8b5dd088f8a64cde457b9279870bb68d8813b897af1d8273ed4f17443c107aa576d07a7f8efb1b2e079bf9d14bf61e85d6c8fae490594b20b36aa7704343b733

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 636cbcd1464a235303cd439ad52fbe90
SHA1 0bff664f23d36007cfc0b10f1209e18bb066ae26
SHA256 c16091a4be181098750cb0cdc8a1e30198ed745ebdcd742381a367ba4fc82bb0
SHA512 3c01007bbbcb56d9cc1592ad9f2ed201997e65272391b2b20c702f9500802a861e1f6464d9fa428edb1849614ccbaa64dfc131e48874d97272ec67312de2907a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 614561f5f1b708ba943db1cdfe1058be
SHA1 a50e2e6422fc58d147f6472b61123735a0f3d5eb
SHA256 5393dfba725f31a52adbeec960405c92f8785e93acf61d7ae8de355c6c261358
SHA512 fec5f3fa629163326b08abd5b58ba735283ede953dcd9d0c761da4701c206d484112bc43e912c65ee72e235c3b4dd9667916d0c70790b637c00bca268bdaddbb

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 cdfb6ddc3465e12e7605d7bd585b3bf9
SHA1 686bd3481920891745e37fea6e1c69e3c9ca5196
SHA256 0286fa3167b71d8546bb73f8f252093846453be522f17d84671cfd9832c7d03a
SHA512 948ba5e579e68c67118f67763866aae01071dc6a4274ab8f72af28b06e9a379c3da3d89ea62c9396bf4da00ec3afca89fdeda27c2e7a6931ac56f5dc32cebb74

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 5fb6d98a74904035bdf499bca55c9362
SHA1 3b59114738b61904be84ba9cb94bcfe1235a6eea
SHA256 e8cba6a3a304e95ba66be9bfda604da042d247ee8b73e7bdbeadaab2fa4bd29f
SHA512 bb4000ec54be32d8d27a02a143fd77d67926b489988e5fa8522c555fe7b611373c57527d49e73bc46d15b84f704e35dd0c43814ffee258c8439e66f068c801e0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 9ce033d0a2315e422f0ae1b904fca12d
SHA1 480ed659b20a4d98add8569f3a5312cf58472cbc
SHA256 c1d0fbf4327688cd217108b2ff701bee6476d0a6eac6dc40396924e7192c3133
SHA512 befdccf32e9482f71fc5a7d0f82a42b2302b14db0b0ce7671e043633c9f91b2d6bb78272068eb313eb4adc04e4a53cd83be75604746be38fc55d78dcdf3c6991

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 8129db7cc09ed7110781343d49f7904c
SHA1 942848198489bf34590c82f67e15016c3fdad73c
SHA256 d552546ce28e90b3d1bfa65c94faf5b453703405561e48a8119a92765cf1a0c7
SHA512 f4e66850ce41fc366d280fd78befe4331f1c7a1a7907ab0bb677f63e3e917aa382769965df1c97a210e131552c8efe24d1608bcd5f52afe62d56f2e55b67ab4f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 84ee5e3a58bee89fe0349de4244423ab
SHA1 34c50a191f5a81fc52984e3dd3840af65b5cb955
SHA256 0d6fd19f4ff87a9b4146ce93adb3890af30984678aae0385f4bf6d8f431a27c7
SHA512 0b0c541471698fb5314e907fae26c62336b0c2f1e40f02e5083ef5d1d8e4a5bde65fcce170536d2aabe90b92cfabb95b6b28607f9ad2f62623184beed24d1877

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 67fcdd62b52ccf195ef4f3e249561b57
SHA1 cfb7a7982b29a0df9ece2e16d3e2f5e63d1404d2
SHA256 be509c1e65bda2f8f3918c8a564ecf283c913229d552cf57f1611033aa1d62cb
SHA512 08198db88b8d271f49b7fd06f7f46547982048a7b8a427b4de61ada3adeb176aa5e3b18e5455a27df5b042b5fcf8bbe1797982fd18b81525cfa2a8914e05b88d

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 c41c3888472e6cd797dd1fac91b47e35
SHA1 72badf6b0f185667ef91e4ebc5b4ec764035095a
SHA256 ee0448f7a1451abb5a1480a3bda7d13a35d9ebae5e6f3805fe4743aa1347918e
SHA512 b4e1d679e608696b27a7796e9ec21583aa0899de0137af02bc8e67798039858276c525c3854cc887e4e329c2c2d823e1eae6b6e96976450242a8339a367e97b3

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 466a505675c390cf77ad65203e8e6b95
SHA1 e44203133cae0980fbacb03cc80b6cab05bfd02f
SHA256 895cdf1ad0efe8c252ae74097087ab17f675e5c9f698f9ee50d706f42813aea5
SHA512 0298c04cc7b755c3c8ee78f115d5d8d73dfa97a52c44a6ce9d0710c0999e4a8a7b4d1e85a7a0b00958ed752aa4e302307da2896092e679c544406aea20fc397f

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 397906c8e99b6f9f29e00ffd5dacbc7c
SHA1 ac4153df9a2e4e559ca88f6f2ade301772da1b2e
SHA256 ed579af9010284105531f4e25cf70980fe9f193b7891768cdce4aeb29f216000
SHA512 d7a9beb0166aeaa1d236cc9b0bd4dc0a395b828034e7845aaa9d3ba0ebec494e8a5e984be0f8b4718dc2ee594950b5ba6d36bfd04ac94115e92a8d3e2056c3f0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 47c0d0f40d863cc9a2808504fb410bba
SHA1 fdc5be2c04e53ac270c0fb1eafa139ae2300c174
SHA256 a1f29915ef77fa7fbd61e45d896871da1e7f9a2428582d9b69541809ac15684b
SHA512 881ee510146ec03998df125dbe680fdcf642966dd3cb4295253249a71dce27fe058d744b8187d86f68972ae9caf5fd006dc843c88b978809ebf3f20b662e5d55

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 77c226d865973924b203600032e97310
SHA1 800e0cfc9fa6fd6b56edffb112d5ab66418ca32c
SHA256 e8acd26573c2d18d898d730c0180dbd19277103e92842db2d8a2f74da37d4187
SHA512 47af6d6e406590c8bf9f6e96ddd9da83a2d778c708bd5b8d1a7c6589e6862471e3c8e63827ad1f6aee3f8b8553951f83ab7248d298bc0f84b0a1914fd98c8b10

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 8c08f7b51173361d6c8943c108db60fd
SHA1 6b86b2e93fec27f88fb491d50c883142796f14b3
SHA256 75e9e9ced59ea5d2a6e34d53fc052a8709cdc24d1a96590b29864726e9e922cb
SHA512 09fdf1cc358ac991e5779662bed21e3221322340f0611ce9fe646eb625a9c0d77afc153add4cb49b87469a91799de4adb1229303017510089816aec414d155e7

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 18493f36625277159831494ee9f3e567
SHA1 748debc100b5b51621dcd099a36d515b24dc2b6b
SHA256 700c1ce5313173a1b5546cdb806af3a64ba8683552c3d51b6340f0e273f3b41a
SHA512 1b3796367abe12658da35cf27b11c25bf2f1f35f834bf75b5c215338950466b0201571a50c78a415033ae5727a3be0958a2e3807f9669fa2093c9cd259c6aea1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 b6ff8244c8618bc7ec711fd670c2785a
SHA1 54e526e1a4c31d9c096629fc8665d7815af0d7d5
SHA256 d8dc0e18a81ee0916dc79e80b945b6e30597b9749157105b0a71ede81e44f366
SHA512 158e7fe4ab868fff67069781df643f4265e010085402070996bc0cbe0f58d8afcbd64fa63461abca3a5a4444be4103c03e922e7aab906bb39eafa0e5330c7bb1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 12fda42eb876ec5571ded28649f7d047
SHA1 3a83d5dd2bdb33c052960a9de4f099a8aeac1d3f
SHA256 8dfc1c8bc468979f169cf96b95b1f8fd6807f61e44c7be6aec35d3e0687a2801
SHA512 f967efdef153cfd44ee790f9c186637709a219aee833f3627404e89fd5aeb4e222935a0888c47648a70add68aec1d0ddcdd3046c63c66f944178eaf77a965db1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 2aa81df52a086dbe57bc73d3aa819d58
SHA1 3891efa8a7119c73ced496e414385bed3dada46c
SHA256 5a35692e82efd95b7822c063a95be105eca39385475b071b3400a81866c9810a
SHA512 a3cd81ab7678e9062e4ab323bdb57c0c981da4e687a5c73c9743770ec3416b042603fb950bfe3c47b8c21f93f4b9888f8f64c3df99d29351b8362f250d4fb51d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 35536ddfdfc04b5673d623886c0ac9db
SHA1 ec8c33e4b1c1ce835ff9325a57d1a7df52792a1d
SHA256 291b63b741a4b22f822c7c6274380a37b0e70b5331e7103aed21148647341780
SHA512 3db172db4602390227ffd0c7fb96f2169e22ba0e10a557fca679af0f1e88dfbeaec8c0b69f9da152a2b52b6cbc230e2b230fd59c7a3ca859591b9276bb5e84f8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 46ce83aa443d290c41e624f6b991d906
SHA1 9c1ae597313c4caa071ea823ce7439214ac863fa
SHA256 f862de6b2fa63106800c8897b50cfdd28eca8a18f60441ffe52c25d08c811c49
SHA512 5889a40bc98df6d04bfca48d5173f5be3face9b502edaf3d7eda31b04e06d2d4b48cc1985248aa2b44941334655d300c7fdad7744347b42e0405b5835bc277da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 45d711baafa19c075032781b6cd06aac
SHA1 310db404725d5cfee3b438ebe5a5a3802c2a1d3b
SHA256 a775427f390886a29a87d9d335f2730d5029874e523b052de94eda002cc76e14
SHA512 392dda5d5e669980e9cf3eb6971a83ce3fc53c17de6e1ba5f987b7834db261760195cc28ccfd3f9eab434965f13978ed31a55f40b7e2542d2d985996caf982f9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 5079bb44505a05d24ba6d2a715c50b1a
SHA1 1a4593a308cb4d293faab45f997ec6fe57ffe564
SHA256 6bd495de29d38f5a39d711e36d6efb74ebddc4cd78b2071c46bf945e4524479e
SHA512 c927f2c06b69d2f8a8e0a9471bf678e3304e2952a2e2b2a7c262b9775ce25a888cccf5d8d8e9d36b680b8a775fd3107721d30313ac6f863e5996abc413e5b0e4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 355814277e5585523cfcc59917d33cad
SHA1 8c8cd17fc5d3ed833c64751151b90e3c8776750f
SHA256 a4dcfaf4b05788b492bdfc17721594ef299551bbc69110ebb5b318e236731f1c
SHA512 60c1542e34f7dec30aa4bee603ad0a58d570bb35de98924eb1fe45fc2340beb6dbd2828656b154361499d73e5244ce642383c714ef5ede1470c202fc830e2a46

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 5ff01336af3445e4044aa2c06341d0e4
SHA1 5c175877310edecde6bbdb9bef1d4d5f4e1891b5
SHA256 036f3e0a78de1ac6337db5382e5537930b74c66ca610f16ab977a4f0bcfd9a17
SHA512 caf357ffc24310fdca6490a413ea953d5459c10882c01e17909cff1c2d1b815dd31a8b9e46633e5d4b152f919b3cae34e7a9394eeaf60c21a3d1eaf6b92d48ee

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 8b9a184c673814d00e19cdf82022f6db
SHA1 4c574705115174732a7ea02359d4eb3a9ae7a973
SHA256 e7c000f52cbef7ea94b68856b561c077d00642a4313b0063a884e4c47851763c
SHA512 169e2dcb809c330ca6e6219802e4dc8922a239d17d695a7d4cd8f53c81c9c93317931ccf9a328e36189594693160a6a85ff6b50bff24fe039da0b40b8c05a968

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 381db5b5c0dc0be93a860e86a33c44ae
SHA1 b7d10104dc0fc82f1a66c921e53150daed3ebf09
SHA256 0b7fd1195014cf6568a5b792677c92a72b459c1b335f1a5b19fa88bb10d12c09
SHA512 dcf11a8bf668dabb3c9fbed5e95bfc2b5973517c9f5eee0908d4f9c658b07e25a41371021abd7d794e40ac102457883050dfae84f4943b40656191afc87f7f3b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 8b6678d8abe9df7d0ce6d67989ec14e2
SHA1 4940d5d955e305ebeb702f4d8d658a5d300f8e47
SHA256 ed966bbd9de9f116c2fdda1a7a6bf1e9cbf3cfc051ad63b9f6ec995b460f255d
SHA512 4c6f8fafece3e7dc929d1ba7d64a9facf17477a0594161af189e1f84ee7a3cf7f81d647148f9279e9ca1df21c4ffd9d0b3405996fcc2376772f93bc4400d520a

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp

MD5 5d974910419b933a0ac1a46dbce0b208
SHA1 32f5c510bacfb952d821e3cdea395c4eb1597b9f
SHA256 2fe4f2ec73befa1668f65d5789b7e7ab9424f911837b88865a8faacb5c7a2c55
SHA512 ce542e7abb781ed96448e786e006d700d6c57d2e379ff7f92e490399a1b5885320ce9a98d31e2ffa2384dc57d0bb720dc925e69d43186bcc3749f117255312cb