Malware Analysis Report

2024-09-23 05:07

Sample ID 240613-crvzesvcjp
Target 567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe
SHA256 601b175f5eea00cb00d1b6dd2fd26c1a62363b1bfd9ad190f7c7c266799d5c4a
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

601b175f5eea00cb00d1b6dd2fd26c1a62363b1bfd9ad190f7c7c266799d5c4a

Threat Level: Likely malicious

The file 567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4808) files with added filename extension

Renames multiple (5227) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:19

Reported

2024-06-13 02:21

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe"

Signatures

Renames multiple (5227) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bn.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pt-PT.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe

"_Node.js.lnk.exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/4424-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 6bbd26e747c059c04b72d8ed7a135213
SHA1 47d49fd4143c5ede7c05bb79e25367b9ee2b5a3d
SHA256 3573166fad396acf5800a86e0b6d20eec37ba2102ecb293428f1f621e2f3c15c
SHA512 068afdc5e8a391ba19b5a7e1c40e6c7043b67898b06261fae3afde4ebfd52f482da38b68f70a04b068fbbcc483e36ceb5cd2c466ef63a913ae59c309f0448f38

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

MD5 a6a4c92222fccbbf93355e09a560f7b3
SHA1 2f7be35f55cf638388e45646c8698fedb8a5449a
SHA256 bad489cd9f275127f636c393a5551c2064c56da162aa0c089d1ba235388f0c7b
SHA512 cd1573c3bd5c7d3759e8de1da07de1f160fde0acc9af17f28c6663e26a47807cbf6a7513ac07bad4d8803a6fe2747f03a0c55f03064beab1e9e6e990f47ede46

C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe

MD5 59a2ffe974b8476ce7be838b9f431671
SHA1 b76c8ed1de4780f35c569d38f76803bc0cc901a3
SHA256 f65a4ccbb11a4089dc591249cf3b92295ecc4e802b878234009c90c48f202394
SHA512 54e659ca61f1528310bbaac1b47d24bec0b8afff2aac1e45614ff7a19e634c4fa5bd9a7d68a9c7d197030cb146afbe8f0c432839f21df2a4645e4fd4c12ccbe5

memory/3272-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe.tmp

MD5 b03f03fdfff5b07cb8513ba89126a892
SHA1 091550edf09154dd49eab176341c8346eb757821
SHA256 c659120f06a557c865cd5c5ebe92b76493b7c8b94af4d65e3b1460bd77b23ce5
SHA512 d944128e493b7e17c57fe32a93589545a413823f4fb8c2c698c1c996794f5be702982b58790ed8e33dbe8ab7b1a5b2d4a0d63454393be74b461d70a28d94c66d

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 182d8b2a56222eaed8a75955f4aebf90
SHA1 0afa019dc359745997e7f8ffc73d37d25d968f59
SHA256 73609a5c6fedb5ad46d9050209ba66865103920653a5f49a9646df143e899af9
SHA512 a3c45a402f479ce8051df7260933a63fcaeead7b50953dbd48a6a3500620470503a24a0b4f429d1c96d34d62ecd91355bd4f9784958bc543d715720102fba7b1

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 3b9151117f6c2d780efdede5ed349cd1
SHA1 b911c943c8aac55a46afa217b6d3a47ccebc8e24
SHA256 4af94031fc3efa9d6856cfaa6ea491fc45a7ee74071c75d75e0b619319592132
SHA512 b37a0b37f5e559a0afaca4851286f000cab53c9ebd418de5c3e9479b42a4819873ffcb3789b7888b2d3baab83c242a146400eb26ebe9a2048905108a9796e239

C:\Program Files\7-Zip\7z.dll.tmp

MD5 d9a32017005a48df59922f62bcbc86eb
SHA1 f95cab05d62f0f5103ce2f4c535d4883ca4edf5c
SHA256 99cded53f31b83c535098e3c88d62c58cd9819332a2983b785e9bf75c03774a9
SHA512 556b7b6a8d0faa713333c8eafe6bc3090c0969bd997c3cc78a386ad59bc4eb0d4bce944703032ae73766f15a6f4aa9fb70e3f75cd49efee2d8cd69a8d66824f3

C:\Program Files\7-Zip\7z.exe

MD5 1732e3000017c316449e2d6d8b0d6fd2
SHA1 c696d08d23755a1ba7cd8b18e459d56d62047206
SHA256 4bc19c2f36dcff3bb9524017716b2a84a436c8dad395c212814376107a14b743
SHA512 62a360d24527fb2bd22087fbdfc0487a6bf6b9d4fdbf5f11a8eb10ade3c18407078df463d3a7a771b2456bb9a890668e75acc4d7b2a0f9cf558158dae90bf1c7

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 70511d37974518a22d456d72f0e2c5d8
SHA1 4640ddd693c6e4861cc800398ed0337fe2f489a6
SHA256 7afe2280126a3ff19545ad92c78014ade1cdf960642bdc35def8a06ada8c54d3
SHA512 d8f86474c26bfbcd36cd15ae91ce04b61984813d3f2b4050ef6daac1ca660a758091fb5f21e38034d9892881999ec4553f67442274b9d801315297e4904c095f

C:\Program Files\7-Zip\7zG.exe

MD5 28dc805e584d97038dfbda2eec6a3153
SHA1 98a9487ff1b1b7072d6e4287aa18f573bbef83fd
SHA256 0bcf9a615ba83d6cbe0f0319fa02d40bd8c4f1978a56eacd9002dc6c4b837f90
SHA512 e66508c8f7ab1934331a7b24a673c6639720885345c85c897312ba00f22af7b79c93f069585d793fa8ab498852aa739afd186d95073989c91139394775372bf8

C:\Program Files\7-Zip\History.txt.tmp

MD5 f88153775562bb68ae898868a3080fb2
SHA1 140690b6f89245fc57374e631f3dcdab35b02b3c
SHA256 e0038d6b793ca27792bb5e6331b489306be6fda8d8e87875a1c4526370a33e7a
SHA512 97723f9fedc3803753ad5b342100d978cf6c6fb5dd202432909673508ccf5ff89656992aa986b0aacb598184f2582c7a91a4add993ab1316670d34e19df6a8ca

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 d94f489af2ee14c06ec0b92d936a1201
SHA1 cbf29e89530f498ddbff2dc2c8e4cae97a09cb3c
SHA256 7f8424da8c5b0d294cc55193c3000570e8c28ce96b7ffb67fb8b2ee8b8792b49
SHA512 a2340d58833247f5f9a6d5c1e91e7bfd4761a7381b165be8a610fe5a4c6024694f7382f64c47948cdb91678ab1e14e6e6cfaa697e3360eb00d72a84894d1f044

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 41453777e078738e963fbec929c63564
SHA1 6bd427204236aed9a3c77c50ddcaff9f2a39374b
SHA256 5fdae7bde92f5c13b47b524711a331ab81b19cc0824f1c208cf79a3500cd4d9d
SHA512 807aefaed10f73f436afe0052c7d4213079bccde1d482bceed9d93730eae8cf134f56a2a0508ec5ef708189486db21dba98b6b8a0594463e89de169722321c6d

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 2dd28b50ec9d1f2f509ddedcc4147243
SHA1 d2bef3e0b044efedfd9625e3fc66fb21e4f12912
SHA256 477514779318f5a438ec115fe2c8d9ed93d0fa877d2d461ced02c258f7691129
SHA512 cb9943d07cefc630bbba6efef9e5ce60306c6fe0aba9ba53c18f1c7cf980a9147966c0a031ac15ac086b4d8176685b406b1b98592ead624d0af37b32cf80bf7a

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 6d62539398ae91c6f11f55016b918e95
SHA1 08d5be33eecc4aece8048bbc4f72f018dd694f09
SHA256 25f89ad3b00b6c4c3b472af9923803baa4fc0ada5d3b100183491fd85d1c1da4
SHA512 95f8b2967549e6c19050991019248fca82aa295456037dc42ba468e59634a8281f4dd75dca8086b577810c889963b5f3318f917692952bf42a826b8408eda654

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 323bd2580ce481e2e54474d72a49ec6c
SHA1 647a255a046c44fa8e300d0b955b1f543a83e985
SHA256 5310577c52d8dc665b2b917357fb8dc6fe722a814c8ee2140380959b06e2a88b
SHA512 e0b9d2f4a14fc18633bc94d600bed0168bdf81bd7b95ab97ee5b356c130c6a52105720acaab7f1917801546f57fceba2c080b6cbd4ae3eb9ab997806acef9b5e

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 f235335775ef073d6f77f535913d103e
SHA1 d9cff3bd98eceb0669c78acbb4654d8aaecaf7c8
SHA256 fe7ed80f94741105c4002a127eb307fda58507d6a04911c8585957192af25a47
SHA512 735ff2d1ab00b63478656903db965c47f353cf40c613bfa2f11b2a20ed14c0466125bd903b19bceaadbcc116b6d21479aeaf3b91f303240f785d0c6b7db9462f

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 f8575a5b3fb04230fe02ab45ad101880
SHA1 8f8e7dc86f039a3ce90ffb7246c420b93c904a67
SHA256 d3ba42ac429c2667dd06523992d61512cc436d05cffeb05769fdd45ee79cd96c
SHA512 936de7559d911d75d0e10f4bc26cb74d60754f6d89e70c5b5ed5eefbea6d5e309e1cf2ee54987fcf26231eae6eae180ef801e8b59f5e9b489b6fd43a0e0fba3c

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 c0cc63c9fc6802779abbf383c650d8fe
SHA1 6bf1921b7c1b1b6ebbfbf86891564961255204a4
SHA256 961e30f6f421c1950b6fb42cfad952fd2af055aae9ff40c5a5d4bc7c8daba41e
SHA512 2b4429f5651d16c1251a6cbde9e3d1d465572a6ac8e695dbc84fb96b7edb310601aafb244565f5b63a4673171092d534f9ba723503ebd68a4369dce0271cd76f

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 982aba7d22aaba1351c092ebdba01e59
SHA1 b1a1c923b6bdd5b624a8104e8f6d0ae96e38bdb0
SHA256 9dbe0acc615a5e0a4bea0bb2fa9e3aa7bfcd283727ec76b865d8eacfed50e131
SHA512 bd4fc79387505406c7d250f861474ec2a5d06fd7df456d74ed6edacb4b063ad08f4efef9d35fafa986de39de3de7f612586a7c3cd2dc4b0fa755d7934b9da97d

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 f69e512e7e48c49b44c309dc9c6fb366
SHA1 6cc59b21ff98613caa83bc16b50a3238a98ae425
SHA256 3d52383d6061df964389601e77ad84ce07be7cb546287d4760e9034fef997299
SHA512 393c2361879d48fc8a7fa584a84df8d21e904a32a8c56a6c9018651c61670349217a3b75bc58dbe7c30634247987ec868ca71487cdd41e3a2f5f86db6e9d1d04

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 2ee2a29895245b004b3364d92d069921
SHA1 7f44b73f8194481d1ffe8cdfb2170066accdc8d1
SHA256 4c5541ca38f5392e8b12363d2115b53a8e3ac0a9681f01fed38b132545d63e34
SHA512 f295fb58a878e169cbc84d933795ce05dc82cebbd8547500ee5c8bf20473921e5d8a13fc9211a5caccac013e8fe1c9bfa2ad33b2e69cdd70e89d09a84d7975de

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 f8cf0d926fe4e5399386bc5816b08f89
SHA1 7ead1738794c3aee1c47c20060487c392d2def1f
SHA256 eddfabca870d7c826ac327043f7bbf10d1ab22118a9dadff704336682c92f93b
SHA512 0e65fa23f9c5ce8f57585ebd9bf3eb9bb8ea2878236af6934c8f5d7805056f331a0a4c626b504f97f7e1344a2d136126053307f9b4cbb6f46a78b68f826d9bbe

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 95f5b94a038174e9d1e47a40f4dbfedf
SHA1 222c58e8b8c0895af9020bb7f77f35fcf3182b37
SHA256 56a7bc79cd68d58bab33a023723747276aa070cd1a7e6b99baff447ff8a50ade
SHA512 c1ff5b2f2e44cd05431c0af0caaf8cc957c65d8dea4ce71be656d836c7c73476a87442e636be46af6607fc0d7af69985d2646f7c49c7ccd3f5a78565852e447e

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 9ccb26bc512d0870ebcc8a3123fa06ab
SHA1 0be45ece9928d076e579881d21a2ba0c80c478b3
SHA256 a4f5ca138a89b2d19e112ac24c578b82d76347631c491d9cb34892a1a2c17dad
SHA512 f4b6866c5a44fc60447311988a9edbd7a25ee4c14ba69c80ad318c48a318c55d1e47b20e2170b4f216a18a522b268cc06c5dd512893ebcaf0338fafde0c67160

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 c0dbf7da47f8fa62f1bd04e211d38316
SHA1 e9915e2ef1847636f34942ac10e5fb2d984b4f2a
SHA256 bb98884963f70b899c91da2ed71821d2ea7bbd5d69c0bfca50ed780081b443a1
SHA512 47115b1c717e0ac022329c49187ddba669dca0c9198b497f34cd593de8a8bd3a2f95158b8c56a7191445831672234c49bf6d0c3067e1fc6521fcb818a000ce80

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 710235434bfd9a6b4634cbc6e861c4ac
SHA1 b81a8456d9ab1d68666bcf7c6584f677a5f192fd
SHA256 2d66712173a536bcc1ff29987400ba7dd9f44fce7a353eb8b6dc6793ab813146
SHA512 529250de4ad36c56bb5fcd435e93476ff165cf7d20fc431854a47599f04685bb5e1a3b93d7e68abe9b88a24a8f617cc2d53931d6b5180f20b738874556dff599

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 031a159a5fff4adefcf2848005cd8f70
SHA1 496863bc5b449d0b82e73c46084aa31e3f6751ca
SHA256 916f580c59786d2fa290898175c647e25d6679d4f0041ec7110ee5978cf595a4
SHA512 d835fb364eb6c4293b7999b04f5f44d2d2db18d33f21b153e7a2e2b14496704a9c02434bbd1f87e1fcf06ad097604a435eadf73dffeaff65b2df562bcb631b96

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 1bfe8b7ea5a6a3987c569bca86aadbfd
SHA1 30024bd6f7db7e0013c66dbd2afd3446db8a00e0
SHA256 fbe96e76bfb00123e5b7a419c7803c56fecd1ab9449f6edd090e5c22cf4abff5
SHA512 c7b5ae4297907b98de6fc336070c797516fcdf76ceec8e7510c0feee2817c9541c81be3b37df8889bb86fe3f0d4ddea9088485fa581a870f57fc19f43b5d2876

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 c00f19b99f4af588be8dcb6471cfb6cd
SHA1 21b4489b922135614dd709eb07841b97950698d9
SHA256 515560831239bff83f373493ea913098b63ff411d73fd45075e828c5c4e979d1
SHA512 09f1bc01571d651044767849ad407bc90e6a7c194461b207d5fd8786d2fe3efd972e5787dbbf62a22a3a0820a02737e89cfb9fec4f005c7b7af1d72ddb2556d7

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 0d614db4d63a3290e0bac731b8221121
SHA1 94cdafbd5f68578ef1b694ca52b891557083be5a
SHA256 9d38b3af885859192436cebc6e8f3644c198d14353f55677d9b354c63b64f2c9
SHA512 e99d2b441dd4cddb878a8bc857b18d84d6d97671ce552a71c0ebceb165ce82306a34de2633d201fced7ab31fa9280cfc2e30586e89f8e4bd307bf18ad76dd034

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 88ec746902428ff2ed2cc3aeb7381784
SHA1 f4948f9841d2142b1da95e59dd874cff6cc40266
SHA256 19d7680f11f3ad4489268fca6da14978c41f6561100f842bae1b070c80fbcd6b
SHA512 4e93edc36175b965cb796296fca29541f1cb82834aaef353106f5bc9c4d62b285ab8587d0a1db1a98eda935a92fd041e3a21ffd8c716e92a94a519596a611896

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 e0847c699b7a3ded80a831dd9b457426
SHA1 d8ebc8932a36e87e560026905eed4d764d21ef75
SHA256 7d779dbb6d630cd2d651173e4d493bf1874e5e84c2c330109a2afc8a5d01b482
SHA512 485dd52451771a296a41b29622568b97e293227f003fe49502c76f1ddc675b2fb86af71892a6ffd7458412b789ecffc435a28f10b972857b194a3c06655f11b7

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 b5dba4ab249123b809e78bc9ada99d74
SHA1 2afb51595046dd22073f6c68a996f8a87796b7b7
SHA256 fca54044a247f975db75b3d214da14cda2d72ef1b16a0f736ff80fd21a1aa721
SHA512 58baf77c3e6beaa35b0cd9a097df6176d3cf3c7d330c63c540ff2fbf0db28ed1cdcdda1f49bf029864bf58f3f1f3fcd54136316cc1b20396d3470359671560ed

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 eda20ae8f87db414e9c7b53564721b34
SHA1 108cf51af64217dec351cffea768dec7b771b145
SHA256 96cdeb0677c5f27626d4869871937f06a108e0a54c06b12332031ddc1af6c22e
SHA512 cb9b530b0e80dba713419bfa02cf8cf17e9424dd0b727479886b1b6adf61bc822a67fbf119855e0f21b1b749ccbda21c149b45358c555415ed951072f7ffe79b

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 9b19bfd4656140d03accc93136ee5099
SHA1 139a92baa8e7c5dd471c2d5f3980e86f0c2fba0b
SHA256 1f1002a210c6fd017db5f948a7ed1de668d3630fd85287e0183056dc0f32594d
SHA512 03fb3f9c2feae397435db29008287f8dc3b6052bc3c2e7efde514019a6edb2255110a6b9ffa6683617220b7afbf1b1b664d1b5c2cc1ef533f7454912fb3a6743

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 ac578ac9f70911549811679b6ae99ac6
SHA1 6e75156bb9731a7d56234d18a45b5fe12bd67f33
SHA256 9a010164b80208a442a88e973e4f056d5a24fb105d1a5932ee0b4b4ba6555d30
SHA512 d17e8bddf0e418b4eea2c70470d000941efb836c7d792a04bba9d4064673d1a549e8ee0acf66ee069a95c14fe768f889cf370cad1b0955a4b10a2e7536db71ce

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 44a37bce2cbdfde1660de43baa79f47b
SHA1 7b33421ecbadb9c0e89dff1a0579198797b3ecaf
SHA256 d6e0424ec2b0ef984c71b61e72005d7580f1769f3495fdd244a4207327e2348b
SHA512 c05587b35e8330ab8243aab7c1f130b9a347fa9c2b0eec43952f99cd9a0b6da716f36e40b05cd3e29ba06cffbdc3e1a9f89da80016fc3e5050d97cfc87df17af

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 9ff4ff53c2143e14d62ba3913d74169b
SHA1 80ca621620cc7d5b6c59d1ff21a55074e93daa45
SHA256 b693ecf99ebfc7b66e4a432ddc955d16ad075eb132a5cf9f7fe475c83f017fe1
SHA512 896603761c53c80d0e597185b04eed363e00c649435d6c6c0f57cfc9abf20ac075e2268f632acbb78ebe29fbf85f2d2da01d75d8651bcb82dd4a73df89c91644

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 9d6f6ae27601b1fb0176a8f9a4264da0
SHA1 2a582b177ad3cedf613ebca403eca4e831af7569
SHA256 956ee1596df120b958a1f6a4d090b8607eb44732d7ac059e644e8550315492ed
SHA512 edc18f14404a2914627bf49eed7f35e800917d110e90c39609beace8e44fad5626a55f8ca79da203bcf09e7f742f7e1ffadd2e72bb0b40a6b1bd9b232150e11e

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 1818160870849b7d097d9c9f8958074b
SHA1 c274ce0cdd8359ffc427a02b695cbe15df16bbf6
SHA256 a8fabe34384d05381cf56ae7fa9fdb2ee1d16574867966bd93621d2cb966f3f2
SHA512 070f213b3f8d1e9db1faa1e79fced5b5f4e896e972d3b2b284f8005f045f3fd5ab8b53e026476c5208f2b2a646b4f2a5c6d8105093d83bf3b81c0bc1ecfab40f

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 7f925792103bcff354b4f9818b92ff05
SHA1 85c356fae36d53120c395892e80fb733d3d06c22
SHA256 701fef2e8e930c904e568607ae93359a9289778b4b6e6736e8856400c19002c3
SHA512 13eb53949d86a3362f32eba656342a88f45cb0a4331c3282075d9d62064f7082ef1ed5afb9eca97a86cd8ab13f57883ed97b0d057934e04985bbd49e78593500

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 506bd8a30f9a4a221ae20073421f5c08
SHA1 bf2e3aac27b44c5abb546174320f24705ba7e2f8
SHA256 4b4146d679dfa7a317fa70099f00d4616016aaca71280972466bf74d0de96a66
SHA512 2511f1be7f8c68ac705fa1c7e3e44a169a2b68e9282bd7fe39ffeb67a043cfa51f5bedb741701778a5f9d6826ef2b15b7efbd39830d36de6fc6120448a34e6c3

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 ec7e1a4caa70df30d9affbb199a50c17
SHA1 79fd3e7954bd8314965bd832cbd109aadeec8fa3
SHA256 79872875935baf706a6b24d5ebdee394e36cb684a811f1c7d93d54a43bba70fd
SHA512 9d2fec1a53adf30daee514ee94c749f82142622b7c90fce061224a85b6996eb7cf7e8ce9705f07bb95b69527b8fb0f5fa52540c72d69dd0fcc3ee54d4ff0f451

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 15787028c0a1f73aca27912755f593e3
SHA1 4da6820c4abafe7507057a0039234d54446ebe6d
SHA256 8850ab0eb8c09d4d019893dce1fae64cdf43a0150175ebda6cffe472c366826d
SHA512 51130db667b83d6733be3c19d58999b7b8253d9d9e4a4af4b57631a29704ed39b6d0ce17a96e7e37764161599fe56152fcf1c935d8011732e27c355e8783eebe

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 10f87cb22d11920fc15a17bc6313bfb8
SHA1 48ab067defeaaa0a02706c3e1a3c140cb5b54bc8
SHA256 012b2c99071378e5cdf08d55a1d5f1fa940ee25d814b2848d9cf5dc1ad2fbc44
SHA512 e5d7c3ef081a4039bbef99bb30953d15d2e55a235efcf5c3628a3dfeeddb096aac61369826c3d8caf9a48208397736b1b3783facf42b22c759df16fbb45bfdc4

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 e0a2126374de47084b0709ab9b5605b0
SHA1 d2495fdee50eba505023294eae101f3a63d00ddf
SHA256 5ab7a2d95568a4dca67a661f65850e4551ed841826c01f5b1e1a35e52ca441da
SHA512 df788df6a5e2190ad5599923d3bb230c4d68d2ffc256f708fa86f47aa7d8246569a0f606a6e9eab80cf72e14e71970149919ac87cae6b8bba888eb5d68460920

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 2abb6b2142ef77973be4ad65e2e1cac4
SHA1 454e01341bf496d92b720426b439c0b084e5e625
SHA256 043427e8614b810bed4b3ecb222de9d7e0912fe36383cef00e6b4d478d682f7c
SHA512 32c016afb19ffc599c58834614cbc0e67fbf2d8e59d99591326428cd711e0b16914492c2e77484f87d9a3f5fab83788426f949605802e04421edf9586dbbec08

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 1031a1eb33983fad765b0a48eef0df5c
SHA1 ae6c03dc0511dc293dcd81ed4c0b902b1ec4ec31
SHA256 f06df7279b4729e50f0eb5970bafce6fbe58b7726db23b357d6d0a3c5bb8d114
SHA512 9b9557db43761ac9e735f2065d99d0c624739c9f9df844737bf338c5432aa0fb00c37d2e6bcd1ddc0290a4a1be05ac2b1df0ec02eeafaca0149c5f27a912965f

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 92f7e25746923baf1f7131205a777efe
SHA1 e2321419151c775068da975c64287aa33195a763
SHA256 24a30acf6377bc95c0ace361ca84e93e647f61e680ba35586cee959dea81db27
SHA512 8f46acf4e7c118e77b2d41b2453dd5abd47cc861091cb455ae6bc98e9053408dd3d7b6d5f373d642fbdab9d0f172795992b71745fc3410aae1dff60e60899c5a

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 33dcd14fe6cd8ccfbef930b7e89f1e20
SHA1 fb52ffc90a5e3d4c1af37034cb44bfe9a932d7cf
SHA256 6149f4e54ebf199f3d1161d3ad089d899239cbd48238862e0c0d91fde9120428
SHA512 a4989b644a4aa8e102fca46290161d66e845025edc45d1f1bacf70565dbb94a41d340ce1f40789d91594332704a3a6153fe81a9a0c7db6222a7b93ebad83fba8

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 71360656c50a2e79851baf755c993c40
SHA1 e66928a37c5bdcccb60a4bc69deaec228e8ce3b1
SHA256 66a95658bdf1b057dca8ed5858493ec2b0a1f818eb0d3ee4fc6bff7573f8c57a
SHA512 c65eda4c01722fdc37a8ab093debf5acdcc85df00c2ec60d5afd22d3d9a2d4f180e236c8c9261d452e8834853881c911e02c5eaecb3ec99cda77ed4d5c953f63

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 1f7ba52ab25251fd511ae299ba6a2775
SHA1 e9408a85faf9f028124dc0175d5dad2fde2d4ec2
SHA256 1876753106239504c76c1aa9fcdac345238da822decacf8fb985b589dad5618d
SHA512 0fffced4c2f97868d7fe864f0cf3668d948a142049895dab46403e49a6b9f957201ddb1493884bfe131ef9f6c2e70f54089d4578e4f30dddf047669c2acbd30d

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 4eb5e22fed4b788133d13b211a245218
SHA1 5bbd6868bf491777f690737877eedf62c5ad6f83
SHA256 df89b5d6cedfd5e4f21dde00502545b9fe3126dffb94e1e1dbcbb531e60f1ecb
SHA512 7866621b05700fca164adbcba87bfd38b9c2328852c1bd00d5b739575013005727f28947d39511689816cc154c61d53b79c8239f2a59871d70aa0f700d56067e

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 252162b29eeff13f0febb469a1e0f76f
SHA1 fcda34537205892f97c4fb7c4cc2f6005d11bc75
SHA256 4e376f82e0e60395f103bc579b1864f0a84f77bb915da67a6ac69f5daab1f643
SHA512 4375142dd5945067f8481c5f543bc60130b72bba0757896961f818da996cb568266986dcd3b84fd1d72c34917b8b20c31b5ee66b035ffc5a75da785afc37646e

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 27e7a57ac52416ba62fb8fb7566fbb9b
SHA1 836ed99837a64597c3271c8212b1133aab65c258
SHA256 56334712818db775e62025252c5e2e32656550ce3ced18813f14b7f9137ee75a
SHA512 da90d44214e12bf98af5dc2e9f9dbe51e7403cc51c8cec2288ca0da5f078b624d6936445c02189dbf1f39212c7cf42ed38ca493e2fef4584cc740243349e2ab2

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 3d9b9dd571066351752c71c4f4c86a40
SHA1 04c57e60e0de63402eb6929eb94477b90da1f0f0
SHA256 23e5bf5f06431df2d2d0ddeedeeb652790b5a29dc7a1708883c49a086dfed409
SHA512 bc8943af5f2c7833e28c94743b1177cb1bdadea5ccd589567c8c8733b564a2e926dd468d399fe21ad9962c0ed43a9e77763d87c60381d0daa8569d58eceedf5c

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 fd155c8d2d4e00d071eeb890644e2a0b
SHA1 d612755d295c3f553641c138df15920b41a9dae4
SHA256 34e10fb04ff99ca4c1bd4dffd02ebdddc60c43a39519dbdd35afec94bfeed1ba
SHA512 29c9f2425c3ba6859a7f55a2554bcc3a04ddb5f921c0d76315a99232d1f5cd15338b76308bfeb2c4cf60f45f646fc53a6b8518fb0681d86a69a9326dbfa51162

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 fd5254307e3b03faebc5afc25c798995
SHA1 ad2d39719ea5efa8cf2b45bc4c01309d9d045164
SHA256 40a2d0d62e65c5dad7516a0cdbbe6c02fdb00b914d032ba7c75d8507057dcc6e
SHA512 cb12dc8d0d85b548ff6e39fe81b6a89c3604fd1b02586dc12e7659bfe21b67cdd5977c1a049673b757b0af3b2060cb5c9ecea99548d97beda907279150d9964a

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp

MD5 f0085d0d7c605fea59f819e2f0b7744f
SHA1 90872dcd76462b7bd02a4a8e6e6a8c2c219ecca1
SHA256 7d2fe2bb918c941f348fd6d8a9d1de6448bac93107740dc3a5181cbccd9fcc44
SHA512 98d533f37e23d14ef04a415012fef443d7b9bfe8502012ba5ab3182f667bdcfca633076ff7fe3f6be044f06eb6fcbe9ba218611d417b357b819b409050436391

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:19

Reported

2024-06-13 02:21

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe"

Signatures

Renames multiple (4808) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-spi-actions.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Recife.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\567e6aef69a13d5be38828e5364680d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe

"_Node.js.lnk.exe"

Network

N/A

Files

memory/2392-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\_Node.js.lnk.exe

MD5 59a2ffe974b8476ce7be838b9f431671
SHA1 b76c8ed1de4780f35c569d38f76803bc0cc901a3
SHA256 f65a4ccbb11a4089dc591249cf3b92295ecc4e802b878234009c90c48f202394
SHA512 54e659ca61f1528310bbaac1b47d24bec0b8afff2aac1e45614ff7a19e634c4fa5bd9a7d68a9c7d197030cb146afbe8f0c432839f21df2a4645e4fd4c12ccbe5

\Windows\SysWOW64\Zombie.exe

MD5 6bbd26e747c059c04b72d8ed7a135213
SHA1 47d49fd4143c5ede7c05bb79e25367b9ee2b5a3d
SHA256 3573166fad396acf5800a86e0b6d20eec37ba2102ecb293428f1f621e2f3c15c
SHA512 068afdc5e8a391ba19b5a7e1c40e6c7043b67898b06261fae3afde4ebfd52f482da38b68f70a04b068fbbcc483e36ceb5cd2c466ef63a913ae59c309f0448f38

memory/2392-13-0x0000000000330000-0x0000000000338000-memory.dmp

memory/2392-12-0x0000000000330000-0x0000000000338000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.tmp

MD5 362b139a47ffddfd13ddfa2699e683b0
SHA1 76efeefb1f59090815234f17caa5e6430539d529
SHA256 6cde82a352ed92e2fc7d33637b969d2b38ea7bf2a9bda278dfddd53a6f117aa5
SHA512 2b6cc16d77adab5b676a35a6a5a177e8736e2d9518854707dfc77c6f3be7fdb902770e65929f7719a867cdc9601888b949765df08ab0c0c6783083227db0a1d5

memory/2044-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2392-27-0x0000000000320000-0x0000000000328000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.exe.tmp

MD5 26d6660900dc4b9330f0bcdc07a54c1f
SHA1 4d7522e8026b3c3c3d9619ac0818c90a0aa31c83
SHA256 4b96318b5a8d8e3abc02f15455dc83297bf76cfaee85ec93694f24cb0970fb68
SHA512 d2c2499e2a6d527982f967a7bee7ebb8da4de9103860e639c655a59af9801fadde73fd2a3f6944a7b369f0d2707e05bb7f2ed236fe6d9721570e76888151a9fd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 5260029b03c1a2b3cf8bf2785edbae0e
SHA1 02542611ffa18316b1a057de7922fe66f112e06a
SHA256 2af055034eec7a0a375a830a2fd8ea15678b3e8b1ac8ad4a0be64e22edd0a8a6
SHA512 c9515668bc58338a22cddd11255b4e24c7dcc70f93f73ca2e764b550804d953356376ace16d86c78162abcdeb60a7326307e0108b59d090bb06a736d60b5f180

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 2728b3d6eb54ae9233af76cbda93de11
SHA1 22dec5025bb2f8b54b41ca0be22789e9195bb1b3
SHA256 87dc882f72598c70c68cfe700c0e776feeef7b42228005bec233ce074d4eb757
SHA512 431cb98ad1d1bde008d52a230aefed38cf5372c9206f673d1d56266e8f068f76e73cbc1fd7cddf8930e108bd2993a024a4a3ea3230899b1eeca6a9bad47f923c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 941c7fcb3aa2ac77a3da89375cef36b5
SHA1 962eb063d000d113a3284d140d73722196fc48a5
SHA256 720faffb388a62969dc89ec732472ea211111baa8083f9da1d590ec2ebb88e81
SHA512 4cd684a142fea33415f912f654951f3d97c14a6bfc91b1c38c77c7ec80c2c4700de19f1fdbeb43f3a4128204e25c0de87d59d6b7ea9852296aa547bc046ce81c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 e6b7a6331736dd1dac77b63c232b0d59
SHA1 6e054985d0f2649023809be2141bf5c1158f85fa
SHA256 48b4bc92b6a6881a93647ec5b5af522d2d725e7f5281c9376926e3baf7c87b22
SHA512 7c4fd99e5d89e3359fce2e47726545f8c130106f4cc599cf27d1cce32cebb49adc91f172b9ae3dc5e7514fc8f401eda00bc6e38cb33159f0cfd0a7222fffe40b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 f84d53053baa3787e89d05d574e23725
SHA1 1bd03f1dc6528f4aa6cdd8da140babab781b594b
SHA256 382f09ae694f753fdb7d44799230ba724561e7884bef21c086d5b5f49801df71
SHA512 bd5cc778cc9b8ab986d66912bbe5c2aeb5704c07d15f23a8223f43bf7ed606d84ea4db702f19e265b79448992a84cd7e27a1cdfc538e0209a9668bdc7c636b8b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 a9337dfdd498d3d849506a9eef25fead
SHA1 71007c2342970170a68429b569ab97951b17bd05
SHA256 1212eca7ba4a697325efd20f9138294c00443d0525147c3a9c65d8efa787b4f9
SHA512 cf60df477dd364bbe27836763e806bf04c065bd01a787d524462e130b888bf864774263f61250a56e9a66e467edc19984c8561948a5ef7c6b27abc6a5ae46017

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 8224da5d07c4efe7dcbc24077266fadb
SHA1 09e4406f9d487931f3e257c13f7e409e23a032c2
SHA256 3010d9c676179db9bf65ea82d9105247e57acadb40c3860085d07465506ff298
SHA512 a94253e32401e89f8cda51a77b274faeed3b2a3efa3ea552e890ed3f9e56e0d3342cde88eae0a12a5c0a145445126fcde10bab61660b93c2fbab5b9a1738633f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 a88bbb5b50714bea4881ed922256a0fc
SHA1 652019c266072be150ec7a83c56919f96ec8fe40
SHA256 63d57b19af604524d29822643e0a0b9c8e638d4ade2c9a5c9c897b894d9275a7
SHA512 e620547998a5eee71ca944a9b1013d79e592d876e9aaa172066b4c7a1f2d29f086491ce1a9eb2d17b806451e5d43c062d0c3fab5cb77440bea93053e4fd0e9d5

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 a0d18f0d9d44c8c686b10f8c52c2ea12
SHA1 07b6040214b4b5c3a1522d77a96c0c1538010314
SHA256 4cb4bd73ad5277e3c42c3d1dd6092d73d1b14548c79acb242a92ead008519da1
SHA512 c369ee9c428bb1ad2a3ebf2465b22e2b1b8c840e31dc5165dd6637d2dabf0cf2fcfb6c03e8ff69a5de7cf59fb60e0aa4124f9d1b9852addfcab9bca295a81260

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 1701bf68bdafe2155ec1f234b69b7db8
SHA1 217adc416d14f1f3694cc10b56ace324343f0842
SHA256 c0d6d7eb92a4685c5a9ca37ba5b847ac2a19adc14c9a370fa92e461a864a5553
SHA512 71efd734e2f1abbe07016c9f2751432eda3686d4cb1f3c74beb5d5add7a35e6789e095fba836a0f6cd0469e3d6571a3e7d716e98cb649485af6be4babd780b78

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 d76c7af717bee2752b19038a8cd6b377
SHA1 61669af7e0326f81e4403ae02eaa6c98f80cf380
SHA256 e4a0d3354b63ec8f65153e52a4f8f09508460d58c7936dd7572c613d9da68e0a
SHA512 ecf7d401961600c558f58d13e56fce6cd72a97e78f1a03f7e3df7fad9e1506baf086dda0fbcfeb0ea049ab59c9438af75a8e23f8f070f49a54ad079aba60c3e2

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 010540df19cde8da4e57b0d5e0fac7f6
SHA1 5810e23eef75c923f542298b312a1b7e064c0a80
SHA256 79b69d4c5a95348064b599d01419060b09f3b776093b0be27d0df55cf8617c9c
SHA512 c0a1fd549bde19550f137511bf9bcb7eca988d12cff842da78e44ada0553126204fc41494689f2a06b0b7cafd30dcaf0aa0cbfd89afc09830ad668f66ed6925f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 e9e7b6909170b15d438c5e7b6fae4a31
SHA1 3626cff72f6fd5ef47323d5e876d87dd9edc5d7d
SHA256 72eca4057cfe33cf159c57e7d63a1b3fea199b61cc6afc7ffa99987d08790bf6
SHA512 2336cf53dd930c9f80c26408788ded278aff7ece8549eb6bf4c445cbb6bc60374b0f4caaa20e757369edd07c12ae10ade98c82dc374ef87cdff5472d23c99a0d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 24122e8dd6cbd70c0a88cfcf6d569ca6
SHA1 444e0769277ac383078ce2d403c871e96768ddd6
SHA256 89df6fe135ef7d6c394c8ed53388d70a8b0efc093590005aac0803b3ab1856f2
SHA512 7c0b4af029acc91b0c28d714c4032e1b56316ea7142689df659244c25e663779ce8e3e8ced1bd2eb9180d74ceaf67564fbf644e0db511c3fc670510eb4e86914

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 4af55b9e487c52977b338b1fececdf45
SHA1 8dbccb400ca320036c88ea50bffcf333ae72a8e2
SHA256 d403a7bea92fc70f446eab55696b7b6da8d994691775fd24008e64c2d5e7e7ce
SHA512 0d7778217367b29e902f0d14bf1ed0bee92cc2ba4cf1f7b33173aaef3f56ab93c5c81c76fd1829d73b32ef2701f04f3de6df56617e202e2e8249b89708b2350b

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 bbaad4c81747ef4e236ed499d03391e5
SHA1 5f7c2d266e0c4424c5e20a641040dc47f1ce5fb3
SHA256 b2220a823e0aef849c7d2df8c02ca16024dce3a0275fd67a72e8a66a2e807622
SHA512 0fbdbaa63ec2a2e423883c6490f42e64511a63915bf9cc3c5df4c0487af9de47504bbd073f4bca7e139ff6bf7fa0db76ff6ca3ea56d5630b01785c9fb0bf6c49

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 d9f6ab4a6e7ffd498d6aa23141fad062
SHA1 f5c111babd231d9fcb4f921495bdb144c5deccee
SHA256 7afa4a4032742bb317595f3795151c9113aaf0be5654334efea497a054de00ee
SHA512 5bdf6d1f7848ce15495d3ebaf053b06a1e7f5577eeaed28e727cef2148dbe043397890d2f1c27224fcc1c958b95df4a33a2b616b1ba6094289308bfd9becc398

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 3ca3e7039754037387f7279f1f152df8
SHA1 8f0c55d300c2621ede4907263f133419c9663698
SHA256 fd731c60c98bfb0ce3e2ce04d3cec7c6631feffc5c26e10eb1ced1b8b6546d6c
SHA512 2270a33acad6f1ee182898bc4804dee7c46cf0a7db1a4cb584554dab73a64994d84218a195ce2970a2bf54a60c25cf8b9de67c80c33fbdbb8bd9d3e5a6961bd0

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 f2d8f0b5009de1863832e702b305da72
SHA1 1efc94433a79a95f3c2e4cbe6813b05f0bdf6529
SHA256 5f51d5c3a022b8a8ac614107c06d3cf39323abb3017edf577c1bb374462ef380
SHA512 21c4992f3a78741b319b39089aea475880fbb144675a4a8ee763dbe4335b9232b3602989def5cff9c1d9c51b719c5d1aa9577fa24fdbac729f7ea5a161f7441b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 fdacae6523bad96d63d8f34ba13d4d9a
SHA1 ce93fec7d4322f2ede030437dc958b2ebe9a07ff
SHA256 2647af65fd8ddc58c6fd95921cb99aa2e8831c690e59aa4b8da09ffd531841a8
SHA512 0acc9e3dcf11ce3fe0e792a3389c190f1e70b928c779ecba7271473e9eb9878e974b99f9570007ddc0e0da100ad0eba8b4299a3cfdca1a0bb727cafed249aac8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 020905d33f01938913ad8df8b3baddcb
SHA1 eb1d4bfdb54b9e140cefc47c09e55fab2208f9d9
SHA256 d5b055d6e98fb642d30588b5135d382a205e5bce40d2ca36b91de3accc659880
SHA512 d956a5d99417b1a0572d975c3de3efada6e8a2abe822d3703043dc091776439e0df2645bd7c3eb10f96f83da724e36a97e61c5e0491dfe39b30db1dabb55a81e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 93f20733cb284bac63f8083221f2653f
SHA1 9088b6d2fff258e059a96abe6f29d2d09ebac30b
SHA256 e47f87df52788b696ce72b2b26aa67a7d091fbc2379bbbe44cac58bf5f93fa49
SHA512 e1a86d19f935742fb65d8a8c8c8a2eee4c97142f51a2f50c57fdb2b7551c90dc59249b9a21d86b7ba9f2c2cbafe7b3fe391709e1e152d37f0e8e27ed4fe0d364

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 0544ed71b066035377bc9edabd44ee39
SHA1 54a1d525c83c3b9056680d8dc155f9a9c75f4315
SHA256 b8a96c7f8bc7d01f01daee3ebfd10476c84d5990e7d13d7c95913064bdb14989
SHA512 8c6b5d485e52e5fa662822673dcfbd446be2effc79e647785ef8289d1d7f72b4edee9867aa4910814fe268dd67ed5422d5dc2900d0f538f5f7a73d5c360fb9b3

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 f354a66ab95060a05c20ec6d68b94382
SHA1 3b548a271d39f87d63a4ab7da94135c7f251bb1a
SHA256 810aa4bd47bc603394f84923f21cba4013e00a11cc88baabc0e98b99230355e3
SHA512 c02805003260df9aa238c2e090aead9bc7594acad917a9e6bfb6558068d362e630d25ee946a833de53e07d10a41cb6cd3fd994123875ad3b08a02ef30fc45f3c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 f49bf3e6c38c0f89ac014659d367f152
SHA1 ddd5acdcd7d7004939cc08ea7e56187b6306d20d
SHA256 d4d7f02d7b16242bee12914084ccf537d07bb2d3abe2084bb4229e2359e8ef9d
SHA512 2182e4c5ee61838ac6586dbfb6ce982cf3ca22dc1082530f3c99d2c399356b60d937604ac10b8c07040cdc8c2ff3f00ca1873d409a607a1400815a867e334767

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 b037ef2571247f2c53865092ca43c626
SHA1 a3544bc70fe9a3adb27c7837aa1d9306355c7eb0
SHA256 82d2407d18f28608a64ce91de8f5865a3bdf580df99224f69de8abb45ad60f13
SHA512 3f9e142b9dbd260a515698196a8ef57057e5e97b8f6bb40e3845519ccac7fa897a4edc5a6b293be2ed7fb6f319c270d09c41fdfb5fc0022e79a844ec89dde713

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 72bea18dd322837331447ce90a0f8c22
SHA1 83c7c0a152207a5d1d84b4f32d2f39f63b1995d4
SHA256 c42762fcb9b9206cc4c5ca150ff06c0ed76996888c2415bbd7621e2df2571aaf
SHA512 158ce76893caa303d0bd0eec30cf1e035d705fd6c251bbb551e0193e6cf2028540951835669fa5f7cad4b96c8a69858a56ed43146069c150a65d96491e459cfb

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 5eede193dc1460c065ecd6c2d457eaf1
SHA1 2f06791a90ea1eba79d15183aff8b3d5ef32efaa
SHA256 23a18b3fe22d54422f11e144d5c3619527ac95ebdd44616ddc9a7f4cfb951007
SHA512 16ef3f3e5b92d78cfb933f4c0de5c70769f394c88ef5206efe8489de4bdfab9e54e624df40b3305afeaa0680fa36b5ebc22caed69bc574034cde5bb5cba57792

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 49749ebff7ddd5762d6c6aca824990da
SHA1 2663d3d8280565ec0dbb931290176cc4b55971d0
SHA256 9706343c1b0e104075911797472f9b72f54200de4fe8ef7b30dc614f94167a09
SHA512 823edcc05e174dcad43ce6ae5afa53c43a4aac1ba7bdc08d5589a93767fd7801d1ab1506874c4337823b7b773927726ab136974fcaf8e0d09145136b821b8906

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 534760b723ba4f12b50cf2cecc7b1362
SHA1 2106e8de1d9ca631f80ce80c3f2361793c1cd4f6
SHA256 d0297409cdfea0b3865ba1672c95481cab7940edf33d895b9de0ce8768c660c7
SHA512 9de6021ecdf2c4a74e495cfa0f427e52a05c9e8086af9b027bd8c132b3ab59d3ce4c944fceeabec0c7d50ba23f1dd502f680db7ffcbf921e8da6a2f46d44b742

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 bcbd947aa21dbb952c6c523fccf0928d
SHA1 e154175d32073bd383f3a431c0fc6a751fb1c670
SHA256 bb8fd964edf8dbd91e880e34631c2a9fdb41a196c90bfa6b53bf1f1d1a15c0de
SHA512 ef5c35ed7bac4264831a3041f6c84ec45dfb9e3e925acad112a83dbe049361662f980d2a4269260c40a350dc2301ad894975843f1a8c1e574a5d0c70ea02f61b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 44f26a8097b0a4e03fb172f68e1c3ba1
SHA1 94ec9d3fad163f43c2abb1f27d69b2c0c40fd41b
SHA256 c6730903d4192e1c7ec644d3b5b359b87b1441e934cae9a5df7d0ffe4aa8e4ac
SHA512 3e3f38f33e18d70a3f72cde88b31350299567af39dc3b07fe3020d5873b66bbb66c743e54b60e89f5a16d833685f43a1c951471a934dd5196684b64a7a89836a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 9db5fba38025897758f17b68fc55e2e8
SHA1 7c6a90f60943e866668fb82862bf0e97963dc40f
SHA256 8f3da60184a21fb2480f12c35754f0b45948adfa0263cf6dca2824b829e3e844
SHA512 ce1020d4ca9dda86a078391969f52cb59c8ac0ecc301beebd264b9ec49b02804fb7563af0ba8222ad72b7a9d19da7ada4d9a3dfd86372bcd616836c39aa28100

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 5416ec258af3efa5ecc289dfb6fe21cd
SHA1 d4fafe32669f104ee3142a27ca30c0db60dbb864
SHA256 59bc2e62bfca2f60552513ec9e63cbc3366820da508850fe5db3bbc6afa104a9
SHA512 a4f5f599411df36da76658f4f9ae19502ce18ee980293d351216e12f7501688eb6c4d25396cf9a882adac4ee280dcb422ba3f6a5ddc5c5767ef27b7829bf6a4f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 69a81d55e5e3f8855337ca8cd06f0792
SHA1 4f7bb5283c513e45caf58cff184e2c0b473a4540
SHA256 b49f60afafdd32a1275f6929bb48a906f6f512eff386cb3c47f5e1e5ca0c2d3a
SHA512 4e979a000c2099c7fb7001f8e1cbbbcfa2cab53f87304e13d16fd850b947ca12ad90899cbe82acbf8cafb5fe7f3026b62eb290b2201f09ec83e1662ceba15b96

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 95704135c6e3d0ea651df188f7afd6fd
SHA1 3d4d6e88ff6cd06588a6a018648ef8f4dfdcbd9b
SHA256 1da2ba1c5903b264af1de928c4bb83f476e89683f1c13c0a5810ed2c2774f79e
SHA512 704116e77e90e4b3d36024511e802036f1baf0ee3f4d8aa49c1ce9e96850fa8a49a8a445ae09fc829017eaa6c569773b1aa63ef907151a6575de1e7535943d5d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 5f95455b11562cb3f94d9648dbc6f957
SHA1 cb233b889e46c16b890f76b9242f021d744e8dbc
SHA256 fb094a236277161b01b296d0e85870562305cd11ba6d3ce7815e1b7ff8dbc12c
SHA512 cbea89b32fe3f5527531ef9e62301a6c79bc7832f39b9def0fd5cfc262a57a81e9e0ab125eaf6253d0710255b02dcb914d679958a46fe6f6856159ad143d784e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 52550984c4581b0d297b7730bccbef1b
SHA1 f7c8f6587d3c3a66a64789dc1c0b16d104db7eb7
SHA256 ae4839b0898e82ccec8788f0ea3788f532e9b30df47e2a0ee6e2d9dcc9410019
SHA512 201d67eecc13e41c74e7b1102fa0daabd5c9eee7db51995fb17443addc13bacd42c57c85223352ec19e44b8f652df011a03ebacdf58f7fdacfb2a8e0c6d65f39

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 c2ad2a7f6fd57d31496a6606bbee6cae
SHA1 7309992d01c7f7249a120777a37bce9a915a733b
SHA256 94bbd4f4c5101f65f58785e2bac09da228f568a5c1acd4e54bfcf6edce2aed45
SHA512 b0df761943dd6b4b0960ef33bd5f803ca6dd5e33e2863fd9ded0126bc39dee11c0afc055e56698245d3f0e39391caa72954268eb1fced1ef59f5fc6800e6b7f6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ab865a2184be9a0b201aa6a195cf4460
SHA1 e93ec99fdf784fd094daef18056ba00e8d2ee94c
SHA256 193759614cf31f486b1a3a252106d8178073ce7e5e8597ef2a2856f6f02f7379
SHA512 9dcbf08ad4d27aeaf1ff1e532c14c82ab6b27a42b13a6d6e15a9e570a63618abdb974a9c94d3d6eaa48e85b075f1c58efd5cbaa88d699a2c347bdda06d566510

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 9b6bca87a121ba9c2536cfab41d19305
SHA1 4fc6bfcb44ad410fa5dc878dcdfec83f5d520728
SHA256 3dc850c03b4beb1a8607001de4c0d9cbd358f14d04dba56dcb2784639fd9e20f
SHA512 6019cb567c0f559ade2dd7fc5b5f714f56e3f67e46f100b82a97c48d3caf5037eab77e8dd868790db2235cf38c3a34575899fb0028fd7eead3db7b82a6e18bce

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 5b99c615494e9a892fcf518ae7b949b3
SHA1 586ff06569fe20ad89eb009c58dd80f9a9343a49
SHA256 383dcc7e9ceea453b60e0d926e163695b79f47e5edf33ff8ae478e951179e2e4
SHA512 4e2ee53e8e38b8ce19634be183bdf87f7400f84b3990da486b36611ebfd58dddac4a8579155291e7d61964283c951690e9469eb6cbd111a2fce13df3608f6559

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 22a08545ebb65cf5c2a3a8ee58d5882d
SHA1 2763710d3020232668acd2634ec7dcb528fcd8e2
SHA256 e9dfb1a880b81f94f50bac88f560fc38b3b3153d23e31b8ba3561c48f58c9f00
SHA512 81b0ced7a3df420d187b71ac44d5bd7b473237adc89d13f36c132f929a88ea49ef371d98cee67ba4db063c4681dedab9360ab26bacda7baa6c5eaad386932308

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 8015bc46740359d1238173a1a4ab7390
SHA1 3782984e792acccd44f82459dee376ae3ee8d42b
SHA256 2310c5d99ef33c934220c7f75ad9ff5599d84335df73080653b93a16e0f85782
SHA512 6971ce1e6f4c0ab14cf56682474561f53f97dabd2939a52cb569d0dd8249018b8496ab529e954aee8e2a6b192a493d29733c79482bb82164a9b2afda764e8d30

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 6c5ae671424352f190af8c35c26eadc8
SHA1 04a8d57d92adc4132db50d40be20c87272004868
SHA256 4ee739f9fd518e55e7ba2f1af194272e8a8b7a9b450ab43b1075d46293b6257c
SHA512 b133c20aebe109c633acbab89526741465889af6e13845e2af9e43eb1c86a432330b13f2aa78b340f18e7d89bcdf5de7e04fd26f87ad856afdf3836187d1fd4c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 fbed516afa0fae958374e718073c4595
SHA1 843725148589a89c84ab832f78af0b551c119a68
SHA256 116b5b70ccce9fa041c944c4711e9ad1059177feb8e570e3b1f8a1089c73a6c2
SHA512 a6c96bb23279e25d843e50a10b9570bf8b08d591815d175d464a3a659b84b31a3591983a62a105aba609d70eb92619a4c0973a117af746127bcf75a77d4aec6f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 5279ff303daed75b1da7f98285296551
SHA1 6ebf2cb9526162ab7c18f2454e46ed0baf04fdf0
SHA256 5398a6e6f6e0a151def74a5f9c463778eb9913ef06a6f1cec690ae2c9db1873c
SHA512 eb5ef19fd235dadac16f7873033fbd4655489e3da0c6bc53fe780480c56ca072315d3d60a0e4b780c19a86553be922e9ab28ebc65a3c344da242b166aa73cd09

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 fb533a600c37c80ce956832233ea4165
SHA1 84493329febadba7dd45b503b4e2141d317027a1
SHA256 2d448a8578bf87cee5adb3354652be567f715e2ce36d38bd22438248dcf0ff92
SHA512 04c7b579309e3fa97257148f87b6630dc12fb9807a43555cb37e42223f5e134bd27bbe8114cc48afb04be83ca842e3b25b6d9e50ec87e2c7de9a8609d22d60e8

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 349a8b36319001249a65d3718140a27d
SHA1 8a6f87d0d883bbb61eadc994b8d6f0d31e03dcd7
SHA256 4d7fea0ea1ec9032416b2a0790196d1ef5d7372314f70d46ba0b7d16f6e1927f
SHA512 4a3dec6d0cb615590b0ed6a28527517e7c5d7cfb7a70799ed33456c337f590affb3640c6bede51f46f4edd4ea741bd2845027fccbb09b9e9e006ecc20d977ef4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 3e4f3be2bcb44d282fb12c18e331ae20
SHA1 a796e64bdec4dae6ee0c0980bb91a04e524d4ecd
SHA256 0d729eef2eed09c1e7d1af7701c86a51df82dfe63f522cfe6f1e8928c11e861c
SHA512 f88ce5ea41b9df35b8fbbdaec0efa8418b1c7b7ad45cd6dcce3cd258b9dec9f8dd00e0cd72fc8db6d840d790d573303ebe617efff5152c8522756d156224a63d

memory/2392-677-0x0000000000330000-0x0000000000338000-memory.dmp

memory/2392-678-0x0000000000330000-0x0000000000338000-memory.dmp

memory/2392-1090-0x0000000000320000-0x0000000000328000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.tmp

MD5 0263aa05d57cb1347e30e0ebe6542d9e
SHA1 2ac198a122f2565a432b8bcf11075e4d887bd401
SHA256 133b226c1da35f693d4d72997e5297c99feb5098e15d47cbf2b7f62b3639769e
SHA512 ed4e708114f93de3cb428fa9fd83f6b1fa75f261749ed11c89fe5699daa21ade7da19dc767468cfaf2485fd50368d6cc2a877ef6bda7460d5173fb8cff834cde