Malware Analysis Report

2024-09-23 05:09

Sample ID 240613-cs2hlavclr
Target 568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe
SHA256 c2ec1d8956ecf63487aef18f1a3d18e976038e117d9054717128bf3f554138a7
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c2ec1d8956ecf63487aef18f1a3d18e976038e117d9054717128bf3f554138a7

Threat Level: Likely malicious

The file 568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5251) files with added filename extension

Renames multiple (1096) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:21

Reported

2024-06-13 02:23

Platform

win7-20240611-en

Max time kernel

147s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe"

Signatures

Renames multiple (1096) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\ExitSubmit.tiff.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_update.status.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_update.status.exe

"_update.status.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_update.status.exe

MD5 014c12c5dc918f7fc07a1c171eb581bd
SHA1 e06b1d40dc89d4e07eb2130a1ecedf4d070e5392
SHA256 517cff9635caa7532b5a68eb072d2413a1c93c6c46883b5efb6ab08c009f3ceb
SHA512 bdc239b9cc4b303cf4db9823922334c5978a90c0e9cf99808feca49b91c28d44ac7978cccb34a738128e1f703db0ebbd117dfea5b0d2b015eb3496e0a1592263

\Windows\SysWOW64\Zombie.exe

MD5 08a9263db33ec03b42b4b72044f3a439
SHA1 a7e728cc8318f0ed20f2b09a77cf640a35bcd60d
SHA256 b770c9146deac1d6955c01c131db56bebc11728d00b78df9232c2b65200b35ae
SHA512 2fd53ba0cb1713a2e48709bff79398e6684b2b9b4135e47651f7db6e877be6e6ad99bad7554180c5aacd4b7c84ec3e804621f1cf19218c3f16778ed890a8f583

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 51bd7b42c9ac25e8216907eacee5e187
SHA1 6f02ffb91c5579adf743b92f3080cd977592a975
SHA256 22d88bc3514bac977bca05152edab832ce1a1c093e144704d043282506a1b369
SHA512 f17d6452a49031c38d9fd8b58f18f831aa8ed7961cef080cfc9a36f9d0e7157f71686eb78806803430ca6edb6bb078afb7953b64fa41fc3387b2391661136efd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 95d79fbe79df75c88a212e1fb3803df1
SHA1 1ef7c0f1d5815d9cdc177f5ffb82da7f08a00b4d
SHA256 43a50711a2b868779337571af3a52f78391e425e58b27a05ae1ac1524e678a73
SHA512 f7416582308ca42ef367d454d7c7b9cc3687c6e42e1fe848ba759790e5762cca3079e4f0006dbd8ca82a3672dbf8372ff5130a2da902cc530cc9deab60a58eac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 8d412d38ad7f69fa85ad47982099e3db
SHA1 ad5a0061da98936ead294830e46bbe621e3f65d5
SHA256 bcabf8e1e7d326f424472c4c9621eab624474d04c51b8fc691f6abd06e7996e2
SHA512 69761245d3f9724b2fe50af00851b4b41ae5c7848c744333e36d2f5c4b61938a66b93ed077193a5010430ddd224a08050d3f5beb8bfc6ee9ee49c34622f971f8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 85566610264d637f7687d84b13228e6e
SHA1 1096fc858a9e7737e6e38df5297425640c811b49
SHA256 3bbf3659b8d8e8f68a2fa460b36ee5e86724375402d4a6a8e15ab8308496748f
SHA512 a1665cd0438dbea189d3b7155203e9a865dbf5540719f54da3577f6303b329ff581b6789d7e4dd3970c318d1c91ea935754dbf7d3d86a17dc8f08088c473ad5e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 6422e000b8ee1d9d4fab3bda5b32a670
SHA1 7690de085bfba0585875d04764e4a6f8631875ca
SHA256 3772bfc310ed4275b3b4cb9709f76d158397481911d27afe78e8c8028cc6cfe5
SHA512 f7e196d3d9c14c7d38fffec530f3c5b36434122fcfb57cbc979ced64e28f4b1ed1c0d0d2b39b9389b1ebb1ca4189b7640c014609670d90ff9e0c9eb19d76c7a5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 76ef0301a78cd5eab0dd0317f5b8874f
SHA1 00368e9b75630b7317dc96269fd2dc96b28e5876
SHA256 90e82004b9c84fb7f8811fad4eb001cc063b9a65c52254f99d88a1ecd1d5f1b0
SHA512 f63f45ef1e670f07b0c0f67e4fb42c49a9c01e1db7ac8a1cd500933ce57cf38987f16b52937cceff8bcba8b5223d30c5cf54e554137f8800baa565601d54586b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 a9036891280ec242d32058b4a0dc70c4
SHA1 bb756b5ae664433da53eda694ca0dee3214fcffb
SHA256 21d50e49d94e8529a9bf1727795a2f882f03e727e5b04e92cb2314789e7116b5
SHA512 0c059a5fd712d967e7de2956af6148bbf805d9868aa9f89b4314ed18461ae0c1878afa96ff7a9bde7a83a58cc5972b7ded734f0194a0dd9681b8ac3fc856520f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 23e581cf50ca6bc9dcf698c1f3b8cd3c
SHA1 6de3ccfcec2b4c02216fddb3d9147cf2c476d101
SHA256 02d3f035f92559e7774ea645859bd72af7bb111475be54d9c826d5846c2282dc
SHA512 ef0fd11b9ad4522aeff07f7dc30ec98829f4c3d5250a2f024985ea5ddc6b14534b32d6b07895d288c38ae2160e04bc6e049b91eab2b5b2188a3bfb9b3dcff107

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 df3dee8fd442fedbf262d3e7880f373d
SHA1 f78135892f3f41c1e05983f3acd206aba79f23ef
SHA256 3f748b9e1052ad147f26265b1e96edc231daad3c0438c2c7fe2739957c7de396
SHA512 5932619a86351eab9231b0ed12a123d3483e83003b7c386e7c829e31171658668d46cd535d3bd1f0eeee030010048070a4b2d301fb0f1db80eaeae422b53d2aa

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 0f4e78cd87b08d895a5f7dacf88fd9c1
SHA1 303b4f36947d77bcbce18fcfc102d4251c2cb218
SHA256 b093e0e1e610ff36268e60191b1f516abd4286250817d1dcb0981e3973c98add
SHA512 3e77486902da2d97ce7778de079f701aa7682e73fa27bb8ed77b5acf67728c9ea8f280e8e19708d566a2966c24a22c7394b60a8c6e73306e76eecb673a5ca147

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 dfc139b2f41d8ccef316a5d07be4a164
SHA1 2182fc3b3a403b276ad9cef99580137c028364f2
SHA256 537c7be64a90c97c27ab7849e01c1eb45fa9b9333df059eab0dbeb60de71bfe1
SHA512 e4a9d39e8a4e500be019bcbef3d78d0fb4d67f59db1be93f6f25b581f341d634c72349f9f09893d70a26e51d7c936c19ff07000f8cc778003f9907308e31bc79

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 fa8ce803118ce75e542779e3e14afb89
SHA1 86c707c6ce5cc2cdd157d718ae76acac1cefeed2
SHA256 bf40fa96d45ce1a07c51d806c928ee1d8284d144f7c5aa1c9cb5f74386ef6fcd
SHA512 074aba68d40f1e4961fa2670ab7aa9aaff5ae5f1252866fed8a919933917dbacc9352386a6ad26fa6d0714f475da0ff39606cfc65b7b741ee841ff576a88a68a

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 e3eb244b9e254aa722d239bac21510d4
SHA1 efa999a22ba01943b083267858d6143e17eafc18
SHA256 554635810345e550b54a6e9dc34f7be3583309fd6ced18a96eab1d977ae55bc5
SHA512 19fe1172fad5750f0dc2d7a1ca4ebab801617d0a234c5f29bb31ff5d6dc4730248dbdc89eeb77949935ef5ecaed35b0aa56993af6bf2346dee9ed3df321f55df

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 97b54035aa3c1f1eb185a9fd397e4c83
SHA1 c095162ed5f60ff437ab76b91089d00b40a35b78
SHA256 2e51eeed45ec862d06952d4a207460727d82d128e6db241dee5a15e53174de14
SHA512 f4ac5becbf8447cbc945b0d0792717c7a5efb9bccf76430e3c89f6563b4589ffa8c0d39e6bc0ad1bba4dc6e9c817ac4863f2a0dc2c8f65addeebab6171fe3338

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 4df8f5ca33ac3e4797e7fe9297237525
SHA1 b254e68e0717f9db55c6f3dc626a83f8ce5e7a1a
SHA256 948403d2f30a3b7730a8538a128a7b14b7ab3e376144916cb21d44ce14ea2fd5
SHA512 46e9f2917f7f35b76ecce39034d23d922cc2f2bdcb244209a5b8909b04b5ea5d999ee66bee29322c7908b3544797b23926654502b5d80751d7c7893127198984

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 9cc8f65119e70681db99116aa87f816a
SHA1 f9ad063ffbc84168eaa6ded3187d86d30058b632
SHA256 6b1fdc3409920ce64d52dd8591e24b145c80b9263e2e74763b67ef36150d42a2
SHA512 a000c349e8a70931f66eefa7a2af6cc4f68efb89d33622a1d5dbcafe53c9f2db3a1e094d0c6288feed81563b486330bcf4c28b92cb9bb56ccf4557b59fc10b20

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 27de4d259b5d138f5ac47b2498818e1c
SHA1 d6b955c8e0391b46e9c0df57440074c67dee2f3e
SHA256 e63644b7c7d6ed0abeeaa36af814d3904efd9782014253e3f65874ee33596e94
SHA512 7200e232eb839b0d8a88c0a587f736f111aa8aa5edbc986a0a5f45ccebc8f5523da9ab2c7153d548885d0a0e3b4e20508b573422e19856dfea5e1caad71ff1b9

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 5a53f7ce42ec80d092af0dbbbd70e668
SHA1 100fe2905fab515b49a1fdea8bbfc7df63685ea7
SHA256 4a2dd1582eaecdd0a03148c4fd0797f620e90e5539ea1c3472c3e31e4ad7381f
SHA512 6e7b11620737767975e41ed9549dd97058a7fafc80dfc8b369e46b518e804b37e75b5af1f411f68048256a81217d0b287426eb2e95b858ebbb402ff39f69824f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 323b09977704374250ac0a7cf24fc0a2
SHA1 fc791c1bc6ec7196eac849a282abe72ac324accf
SHA256 377ea5bdac4bfa2a876886fe83efa17690b0d2fb8bf7f2fd951e75727468cebe
SHA512 92e8a55d2ac915a2ee3202681c00f74a4386bc91cea42ead5e8a7277a4101a591aa90d9f301a5b657df561888938b38adcf675dacd895569539c63c755f64403

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 32d82d62769bb0711c2fd8189063e4a7
SHA1 ead6fc73a8d134675413e2260598af784a52ea22
SHA256 adf08e35d715fb77bd292ffc088c1429638a40a4da2393ef0af1907ec089cc86
SHA512 d13a3a2ff8aae0bb09ec1be090c62293048c702f73b44a8768ca415ad9f542ff1004e2a112dbb3ea3d09e18f293c2c0e68850422e45f48e5567bb3ffaf52156b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 a0fa0e9b40c9d4c5c89df0712b25ccac
SHA1 a270259e158c186e66dbfd10ec38a52c8fe0c10f
SHA256 74b46ada4dd5226fb5e4679f2753b0c3dc43ac5628f47c10e5e30dbbb479b463
SHA512 144bc97e86920d71bd97f23b7b134faf9ff4a2576fe2c480cf3138bdf538f2d5342aac6b9ca185eca2acf22d7ea25c70620fbd941aeb90f8de89a14a0c7d481b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 13872ac74edd67f02bdb28e69d0cb45a
SHA1 94fe49e0cd93a9b84804ebdc88528edd1a9b054d
SHA256 da18958a3bf773bff0796614513f0da9ea237df85a582a30042d33ac9dd6274f
SHA512 4401f6ef6855f2f01575d81420016c410d0dd938a1d2041605e4d4171b4ae7e6bddb9234bde0fe52754007a7d9df8709e145eb0ac8937076580175a8f43a8118

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 d7b721213967ace7fa2b8c3d83c11265
SHA1 034932b212f7a6f2452deac34310dde1ffa1ee87
SHA256 bb76c9f6ca2dc355ae49ca5f7ff6b3befeb137fd7c6e62fc0db2148b91ebe11e
SHA512 bac38cc064b7a1d724c65f46302cb92a053642c28371f09a7cb0def03efa7b50dbcc456fabb61cf337440d86f493891950647082540476a5141e597ec48dcacc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 84291e4552d35b2e7a269fbb48d53193
SHA1 67d209cf22fb1e44d8709a4b7ca508d02a4d1940
SHA256 eac44a707c357763e2637d0ec2559cff64ee2ec8e959e66f58b1fe0a6a6edb45
SHA512 d03f101ac29d5f21b160e37f97d15fa5d3366eafa489f4e2c6abd81df69f6928fa2a54823535a746b466584264d468408fb2d089f342d385b3d9bdf3f460f12e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 a823ba773e91fe696e25293691fc4dd5
SHA1 81b1bd615654bfb24486fd0f338406a4a8f3101f
SHA256 a42694ec5338606db9b5bb751319592112f8cbd86d856c53e36f9b34f62810dd
SHA512 f993f7c508198eaa9e1c193ab3eff6542a0f4332bf1152c221aebd69870335e21c50f7c5f1601508a0a2c9623fdf0162f02e2fb494f36f7ba3b8c05284f081af

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 f9c6dce16422afcf78838125e57283c3
SHA1 7b91160886831b164c8e07fdf39ddb1c7f632d51
SHA256 2c00e993e7be9fce07279b19b189ce0386a9eaaf36efe432ca76c43501b0279c
SHA512 99d02c13033ae8c42a03ab78fa7ce042a542104298d04d85b04a69dd75e52b58b19b5ceca361fb9f7afd955f3aa7acf0a1c99c0977f89d9ce74331b08f85d2dd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 fc515ed55e675a5d7792f99c03b91c7f
SHA1 b76e36de5e10ac2c2015ebb075f6254fb3db4344
SHA256 6e80468d0ee891ae36a2e8f5915c0833cbe5f8275f6431a348305af26fffd140
SHA512 a0b13ddcc02be691987fe508d2eae6e0b02d08212aefc6655ad9b6da7d70ace069698a53fe115c2017e4c6ffe84cfd10dc1e7cbc8c6ede504f62f81c013b037f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 f25fd34907d0795cbe83341e7dc68fe6
SHA1 7119f6746a85a1ea1330cec41ec5c331b673f62f
SHA256 76e469fc06ef235cb7827d5924d1a4d25f348c818c7a9d0a03a6200c52936075
SHA512 0426214dee9207686b1561a144200d0c5db3b75f7a703e0f40dc98bc71d58d8bf1e661b7042cf41c52f7945486d2895446d53263c8895fb14aa8311a75ceba40

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 54291e7055ca7de86d1274e2a568fe5d
SHA1 07ff569ce9a52461e60be5ca5df22582121cf832
SHA256 2e367879d4c8990be5b72e44ee92af640b4a962c68ca62d9612799537708358b
SHA512 03e2a9db9cc839843091e463292351f257130d4237a35b44175016045f259e8e5ea3ce24caa383cb1105852ccaaa9fdc0759b52bf2a39afcfcd60b1c02c29ac5

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 aec0767c3abb398135daf02657c611e8
SHA1 6a5b10e8c901d9899346d5def583c651dfc02ee6
SHA256 415d5ca8b1db6be1da38b7667a16ef03a9506ff1ab013848a422a0befd0d6136
SHA512 36fbaf4dea7ed48a9c82e124c6114113817ed204a84c62ed3c564c22549426501a1706a30838c03cc1fe29681ac6302ec517454e4b69450297a183f090232cc0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f440f70cd4449b59df681f3f69d6f2e5
SHA1 d949f9d790fc7dada98f776eabb76585eaa1f615
SHA256 fa19e9c661986dfeff95f35e90647ead2d846517b619be20464a55429c273638
SHA512 972c4602f76226813c3197008bd006b6d257b77cbf18a5cdbd4d112b7d614c69af9cbf70d9bffb890f2a0d97cfec95f3e693b60b986418f8a63ccb2ff3238062

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 81a1caac7ee0ec7a0dee66fddd83b88b
SHA1 d1ae2841e78978c51399a6dc69832498fe6d7c5d
SHA256 b76f0d3d0858f9cd09348c82301058dc028c305661723f51a96e623bc045d54d
SHA512 34460edbf827314f7634781e98bdbce5c538efcf804eaf0708d1ea5b60da20fbc05b8b58fe038bd67f95a16f1c4a981e2f48e8c87c1e484fb6c6d447122cdaf4

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 fcc858390d78d5cd4838d0087c6f4788
SHA1 bae3b72587bd485433c081e14ed4ef7dbc447578
SHA256 1b3bbbcfd543d7f5f097f19f20597728d7a8864d7dd7808d604ab1d1f90a7a50
SHA512 ae37ef45ca8d55a0c11d9fc91e2f57de9b984df1bbc1d5a070f350fb021e2abf41cdc30a916ee9d85bdbf5d5c5640ab1bfec50c3477c6df18442317341c3adc5

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 1adf0e692198b7b81b1b98800f0f3867
SHA1 55343d8aed4589390bff6b3c19465cf0f7cdcf2d
SHA256 41df980c696bd57a4c973beab0ecc5ddf0797a17335e1d67bbef5e169c427c2a
SHA512 499559641ea2927857c1cd4f1cc5055a8e0d19af2a1d93bacec7da7c195cd856fd328188c6047db5c76ac3489ce4adf2328fae3f249510cca7b2d23e923a8836

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 a6a9a3389cbbc96bc2a7e861eaf2efaa
SHA1 3cbc3c537082aa2813060c7678d74ad41c2a883d
SHA256 9129a73995b7ed7d2077842d99d33d6c619d1de76e9a1a2b013333f48296ba75
SHA512 fbf5a5dd3785adfd5131459add61391bcd1c3b0d7c2c4f61cd3e26cb352fb33e75409b7674c4436d2d4731ad26f3a090187983ac12c95563b2bd6be110758486

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 612bd923ba2fd0fd5b6dcd75ab522f77
SHA1 4139ccbdf8dbfcddf1e6dd34c2051a9a55402439
SHA256 a3d2514ccbe51d3210a3741a8ff1aec4d8d6a4942c185513944b2e3eeadd52f5
SHA512 b2b41098a07721c17b6740ffe8027d5bce8e4cdb65214ca316f8028c66599d79e6808623e64d061f3c7e507f365788e18cfba6b03d7fca5e0b2f6982cd5f280f

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 a4919a867c4fba3a924bd3d8eae7aab2
SHA1 bb08104cb44c286db68a00d4bab908bfe3d083bb
SHA256 4e4007225536e474cf91e0e73a5729a7729519135e886e228e701370e3342d09
SHA512 30e53956f68df79d27a3b7b7175176cf21055c86d44a6b2dfab52948113bb25c85758038f8ed9e2b32e538960a37da33fca315550187a89754960f5ece85e2f6

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 7e8aba7a19162f29c6d1724306583455
SHA1 2a4051d636090e78eeeb5c119fa50f3ee103d799
SHA256 00b75b7a94fb571de7459c55febfca8df6162c9f3d2e01f218f8b2f407b5e1e3
SHA512 d044c3bc627e9294a83f6069c35212ca6827c726cefd61f571f987d539bc0181c01831c1f22455d67a6860ddacf342f4a682ec93fb6316a26faa08995ab9ace9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 41cc725f428e74748b3504b81654aa69
SHA1 aa2f760463b037d2dbc0aadd447fea4dd5c41324
SHA256 b09d681e0878ed6c944e5a84e2d9b08994c01b8eef856c3cd06cda9191134013
SHA512 244f8d4ea2b16fe1b8f0640c9b32749b52fbe72b157ae63db7e8510c2ccdd041a3927e645d4d9a5da95e5e384a383c3dfea838fc25dbf5dce3435eeb3e14545c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 d7a582850c7d7c0a217018ea8c8100c9
SHA1 e7c1ed09d92f97563995d9839acef7884810e16c
SHA256 11261585d59d7dc09cea2f4e54764de8b82d1256e6449e0afb2f81fd98db00af
SHA512 ec155dc1446792af7bc29089aed7c354d916c6fde91dd447fc1f7a1259f1c7382add66d912ff954a305d31f643dab0639c585335ea306d4ae3d789f37a96238c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 bca1c22cb88a9244c38b9a4dd3e79245
SHA1 29bfaef7999671d73fc1ca517ce234d702614c4c
SHA256 18c1a5841909a325ef24b049b01a9bea0d3ae7e43dc32937bb6c9f994e7b49bb
SHA512 859f3cae4668bc2959f357eb268d119b84b59d48aefc01d9b7330c8a285fafdca64b7e16f5f874384930e05908195f1d814c51f4abc2b8f107af2cbac71465a7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 b0cbc04a82ff872744581263f25fadc7
SHA1 3a46fcce6f27b7780f3f2f70aeb98f39147b0a30
SHA256 2df13536c22cd9ce7266b32def0084e71f743651a9d9e2592368820060bb5f37
SHA512 c620300499d2b31428ec9d193581f7f1a56cdd4009e9e7ccf82bc84b34c2101edd5b8fa5f527326c5c6b3a56186087c85ac2fe88d6a020033d28b4654300c55f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 518d89387a90f284e7ac0bf64b549bf9
SHA1 fec18d9dab6573c46ed248106b34fe4180a0a27e
SHA256 29302a3b9cc0051a85cb63a9bd2f5e6141fe9f183c85184d9912e9b54daab365
SHA512 2c8c5f485e99cf61fbdaaa8a13411216cfa924eebf2929a61f42e752d5695a2f51d52536b4e55323ffda5a9f6269909a98bffd997f775684895484812c0b6f06

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 ab728b0afe8f861421208a0c0354cc63
SHA1 7bb1513bab84e3ac3fe31030c64a1b0afbb5756d
SHA256 ee9343f55a03279e4a8756259c033775334f1e60c47f5aab60101abc501c6317
SHA512 36a42ff8b8959104cc6d016bebcf9f335281fac6d15742c5f132e7ab80503f3880493919fda9ee11288ae8e12c74c2541d7c29b48088216879cb9d5fd3d04a42

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 7c376d56c58773c4511dc25192fb2208
SHA1 740c8cb0de854608f360eb79d34d74ef33ff155b
SHA256 8be8e5201a6abb07d374db601029ebe2f7ea64ec0b9cf1e0147db659e6491f35
SHA512 fa5dd07325dfca349217b68b03fc3e8db1898c5c4f045238c84cf628488d4efa53c86095ff28bec78b91dbd8cf40125e98b2798924ef6ef3cb612fd5b414a3da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 7eb74a77019b51667eac0a78e185788e
SHA1 0fdf56f3863fed3f7bb33841af5c12375bc02c3f
SHA256 4c071b6f98b8953442dae1cf2398f0fd516633972e48bcd0fb55aa58e812c50a
SHA512 af20310f0744d18afc2d367c130f33b7d0635130c7350439860d24c840772326ebadc4fad7049fe8a8d489ebd9f3217f493f0e22c05c74305c2b541b0576af4c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 533aef57592930321353d20ffb42ab27
SHA1 8a56a4c79c385e3979690a8a30e1b91c96030cdc
SHA256 199bf1223e4de859245530de511cab3edbc4eba94aee4d1a5405150419b99699
SHA512 a5dda942f946c637e77e85328ec0d0b19573e5102cd11606de954c33b1b35768b80cfbcaee8b5ceafff57c0f3f8de41f2b1fdb5195473f516a13135ad3d902c9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b4cf4aad345fddf9534ae312b3aef14e
SHA1 1ef99a025e99e4487b355a89c42ab0bf0d5fcd0d
SHA256 f5f0173946eae6f7897ee117362dd795ef62b366076498e6d3dc8b84a223f313
SHA512 d91e24f94d116d5b524b372ebfbe352317cbe4932767bb8b5eb5a1b52ca1a84810b36ea54452eb3be364e235fde385f626edeb9898f0465eeaf4e5167805651e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 f20832ebf14d16b349ea5adf9b3a2e2e
SHA1 f1b61e5e01d377d41441444d15251c356f51509e
SHA256 3fd581a02fbbbc0ac32761e09214d8963a549f83cae1c8dfafa0fc81decb0f41
SHA512 35397520507deb7c12c3e6fb5be560d286563d5940962fc7207324f6aabb6bda412b69e7e6327433d7d22f9c72efb21553f53f4ff49b7bdbca9ea45a7bd17b2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:21

Reported

2024-06-13 02:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe"

Signatures

Renames multiple (5251) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\te.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\_update.status.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\568e7045a00cad6f7862e8ad1a123d50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_update.status.exe

"_update.status.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8

Network

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 08a9263db33ec03b42b4b72044f3a439
SHA1 a7e728cc8318f0ed20f2b09a77cf640a35bcd60d
SHA256 b770c9146deac1d6955c01c131db56bebc11728d00b78df9232c2b65200b35ae
SHA512 2fd53ba0cb1713a2e48709bff79398e6684b2b9b4135e47651f7db6e877be6e6ad99bad7554180c5aacd4b7c84ec3e804621f1cf19218c3f16778ed890a8f583

C:\Users\Admin\AppData\Local\Temp\_update.status.exe

MD5 014c12c5dc918f7fc07a1c171eb581bd
SHA1 e06b1d40dc89d4e07eb2130a1ecedf4d070e5392
SHA256 517cff9635caa7532b5a68eb072d2413a1c93c6c46883b5efb6ab08c009f3ceb
SHA512 bdc239b9cc4b303cf4db9823922334c5978a90c0e9cf99808feca49b91c28d44ac7978cccb34a738128e1f703db0ebbd117dfea5b0d2b015eb3496e0a1592263

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe.tmp

MD5 75a23da52b333191500fe327cb866f1c
SHA1 cf985c1f23968a6406909424b44059fa1d48c4dd
SHA256 a262b8b1d852f994f3ea68fdf9c698e906117d65cb3e2dfebd9ecd638402e468
SHA512 8293a61e1c17bf53e6bd369645f4ec16e5d36a00140379e6713618efe04b58d2d2116516b6c4f79570c401c9c4203554616d174763928bd5a31aee865cbd72f2

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe

MD5 a738f857a3a4b8a592a24d057df64bdb
SHA1 e3c2919eaac08be4cb92bed83010d96c0b9f0dae
SHA256 7c9c2b8433674508a5184587e708e557e7c3920ef777954ef14681e9f472bdc2
SHA512 90db6e210eeeacba15ec6c6351c50f9d79e1f67066b1caa168ad9dc1895435c4f5c86398d766f52465207bd2be283030816a2ee75df26c98770b8c27a8bf6b21

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 ec1d7422207af0f29ed3bb2f70c74850
SHA1 c112c6387e92ec45eb99d7629cd726bb31abf70f
SHA256 bd806a73f7eb05712cd6e7b3bec152bee3cfc7ce1ef546197f182c295fe6e1f3
SHA512 8a40d4603c0a9b7557cec9daabf18cb48830b97de6e6fd58237645f7e802612a89082b14f38562a295c0f314e46649ad461302309aee3303bf5c6d029d7a3027

C:\Program Files\7-Zip\7z.dll.tmp

MD5 01de0869aa655f3e197cc2ccf6faeaf2
SHA1 c1f81b33cebb69086898683ff1f52bdba0957645
SHA256 3bac3d805dcae5f11b308fe9a3c4d939a78f8bcb15f61ca57cf6801e7aa62cc4
SHA512 fb50a52ebe62d8546154012b92e43450e99fe9e16ea825a56dd1c2880450289967f723afcc89a940e83026c01b265fe57f2e29dde51731731aa54920a61dc072

C:\Program Files\7-Zip\7z.exe.tmp

MD5 b9101f463aca2acf6f192fef4ed07e68
SHA1 f5112e3a6108fefbf571ebcc9ec42960f38bf914
SHA256 411f4f852894bdcd2639a036df3113b048dc9f566d8675a2cc80bb187633f4b1
SHA512 e29670d43c9b093c04bb048c2c9ae51a931cfe9c0fe2e3c692e96f467295a55807b7e8b4dbc50ccae64685a2e67c2494f23666feeb22380726350f3f84eb2b8c

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 962ccc6ea8e092c6c4030e6cfd388737
SHA1 3a6517d1877bdfb65743754cae17e792d774f93f
SHA256 b1332547f5b55d88c7263c5a5fc9091a600078a430116cf0afab4e98f80da0e0
SHA512 6f6d5ec2985626b7272fd88954d8b831ebf8df47fca080178e560f2c45759e519147b26da54598268637e4aa61bc1d383027e6a0342b71613e145611a11a07f8

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 6f0355943141962b15fc4dec8159aed4
SHA1 4972801ceb8b80145131fa4831af823041376900
SHA256 786ab10732c7724ea692342aeacfb4808b6ea946e388468edcf9ad3cccde8401
SHA512 b384887a9b5105506112d4ae01bfb7bd8408402ac4e33f798eb288763628b41dd792b44db8cd979e80b8f333fe329ba32ba3a73bcb8d6387396687db51f1cd3b

C:\Program Files\7-Zip\descript.ion.tmp

MD5 d0048036d8b62fbf423d92d9d2bb95d6
SHA1 872010144c5df92b51796cdc313ffaa41ee599a3
SHA256 0ecaab071db8940072ff2e838468320d83b2d8c930302696068d86eecb7d9ef8
SHA512 142303ad4a3ad2a470b56669495f1afbd1194cdc2d078b2e4f18f5d9c0e6105de61ffc1d5fc0d3b2220702b92b0c329c335b10efeb7fdb7fe59b7e9f5ca348c8

C:\Program Files\7-Zip\History.txt.tmp

MD5 d2832094ba2b06ae29ffd37baa41580b
SHA1 23a7bec1976872c75ad62226933a4c0d661c8a9a
SHA256 d1f598c72893315439f925249ed26fb1d4a256eca541a8113198ac6323a0e8f7
SHA512 b1f6a7c36b6efc9ae8026316961d629fc5331832ca4f7c342bb2b516639c7a0c602a7141e93c71374a8a4b11efcf925d9bbe3952e7e329b9e7431b628879ef2e

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 1ffe781d8e24d02067f564736cb92ffe
SHA1 6acd4aee9c295bb116f6f91c555a0f9af5f6b27b
SHA256 1579ddb9f08a2640c8dba4ccc271101c8c24fd09af267fffbe159b7905459b6e
SHA512 c952e33eb216327516d72628293dd4c21f7862ec5153b842971ff76b41a3c622944fc63072dc57c195e16e121e0e6c258a3492a05b58498e0c6bfee41fb3c42d

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 a1c6451c222eb902dd4a5091a6abe764
SHA1 e8fa34a0324fb91547be28a8fc05c52bdd8c47cd
SHA256 9e437207c258c037aa851d3943eafa1f6c9e8d56e1ba35e14efd98f97cc91942
SHA512 b0e03d1efde14d4df5334d3adbed1231cedb28232142b44a0e28d996edbc1c247600034a1b1f58aa5a25cc7233c6c5083073e6465c33498ef66197daf78d544d

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 f620ec103868137dc82a60de594dcd48
SHA1 04973dba4b0fe080098873fe486d96c1ed240b36
SHA256 8629a5f8393942de40dde2bd01181d07196ebcd63c4558deb5f2bbaa17d4a07e
SHA512 133f723c9ce563ecc88b9ffeea28d827ad134161573c22ac17dd1388a34f82320bb86543ac37d8c4f44ffe75e76a5b30552cd348cd24951d1c59d20e9d37bd67

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 ec95d36d86819bfe287a227d4ccd6a17
SHA1 bddcfbfbde0123279de796b25c0a1931b5bf3b62
SHA256 ea8e6ad8870d98f51655a589acdcaadbe5ad9605f64dc14d07e8b7a4405e5972
SHA512 309ed6ac21b065abc3d443271458083bc177190cebf8b82f578e610c1521734987b0dca90c5e815ee1811d21154b6a80a029e54841db8b28e7ba0ff281231061

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 ebe80ed39eb38a02fee40bb8296edae6
SHA1 a9b6be697a77ce250d83c433c3250afa12043c5e
SHA256 0fd2061ebdd354d2a921f38fa416b66b972edec622fea345babd0b081b4a7e46
SHA512 82a9d5a292bee24d40c194abf635b6a6f5bbd024881e0885f076aaf2ba3984f6b821cfbb1a46df101da064e6227a5e0f6c8936c86bcd22fed5133cf518634624

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 8f7165b8d4940e37addffa5cbd061009
SHA1 ceb8a5b9fd873cedc24b940a7b3c70c8cf491a98
SHA256 abf67b940629698589546b93fb7b209726af157791ed6c3a748fd8533465c806
SHA512 57a0262188071f3e1649b8f32ee1e147621bceb52d84390fa87f1a9cf913cd2aefd6c0806abb410fb3acaed614792260513d3d639f2c0ff9518656fd2323623b

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 8238706f56bfa596e7927ca39bd21323
SHA1 04d1c6ea5f33fb3ad57aee0a39cb09fca64d390a
SHA256 c27a4466462a69a5462499f22e39ac057307e333e48c0ad68c5c210bb9c3ef97
SHA512 7b6c5d7e3e9a56c1948944eed2058ef32b746ae899797a69a9e6eca2241c2837a917e771a54f324bb7f3c9a2bf617fc6d50ab50f4d086813e70738815e13ede0

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 cfae6986c81851ba914a2db9923c9afb
SHA1 0fe89f59009b43e37042d0045e3d6fe5f6d67f5d
SHA256 7204219e8469eeca7c90ef124c9cfa24dfc2fdb3a56a193f1fee3e4b942b250d
SHA512 9ffdc9db5c02fd52d3b838b28abb574c06b74e79d8828df2030e2fc49eefd5ffd6f57f7aeef14e9e40c1a417d34bd9a3f266180d7be60a0fd83c42a807ad0174

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 9bbca928e15a44ea0768370391ff99b7
SHA1 54d5293a480d74befd9be4b40e1398fe1efb7e01
SHA256 44ebb51fd0d70ebe021983b6c6d9ce4ee5aeef47e2bb4ada0ba44491fd132075
SHA512 c04f171f28eb6980743ee5b04f26449eb05f9304d8cc84b5905f80ab964bc585cd40c4238e48fa138080febdcf3b8af71896b3c830c8881ab67bbb6c66a64126

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 7df322849e5d483085599a69e5721dbe
SHA1 33bfb4c17235be4e9068f550b2e77ea07ff713c1
SHA256 4fc80547cd8daf3a5c3431b0a401fccca807068927b8b0fd8c1b0a6b97d34de7
SHA512 acc491580641badb644229c0f3b805c963f7195452850e54ccb711d74e20e38918456bf2bcf7d017f3f5ad14873aaa58c43b462a211ab54ab2bc8dabb2184027

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 51f614e64242dfd560edf43febd5fe7b
SHA1 ae51bacd0e509dd5a3cf40a342affaf25320c057
SHA256 c2ee2302bdae8c560389d07bbb97df9ba79df555494ccc6c471f2e0ca722c773
SHA512 995c0e6dd38c8bbb39fe5a17b866005e85721e5aaccf8e049d27eb4750f759612fa2d9b7481b7cbb5a6c1e14d6217f2c484b70cd3a2df4f4f36ccb5a70a5a929

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 1932fea1007696f5b369bec363aa7822
SHA1 e14bcd5b3b9f1f9490762ab7f62462e33429a681
SHA256 5aec23cb45100e4645cd3270cf52b3f22336f941a5edc415ce50491d9e405541
SHA512 0a5be395fb2bb49ded16d4295503e1e896e78173c279357166f2ec75fdbd368e9b4286e502a9bddb11ec95ce4d9ebf0a4dd4c15360d198c6e1028366873c71c1

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 db334584ba5f6fdaba2761fd603aba11
SHA1 2eac7f1852e24fa8312bd29e23c88150ae72d226
SHA256 2cafefc65e264efd43b33832402e284136c20292b7b79425d4b405289abae186
SHA512 397d9a63dc44d73908fdf4e58af4aff61e6e75d389b5274fbcf57e95604282d023457a85321aa07eb766682b302d1ce8f0a5ac9cac24a62cab7d7846954ba6b0

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 ae6168f4984e69df34ed29a05577e7da
SHA1 d2acac4f9e2e7f62162f2257c5df391ce91536ad
SHA256 9f651ba30781ce81b9ce37acbc62222bdc463aeabf63afd256ae819849519efc
SHA512 8cbe76e18574453b1e506a889aee513abfac9a1dd060ab9da56ebd8b874644affef7305bbca148c707d2bb6ed0ce56989542d63b7582dcc20ec693ac0dac1aee

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 d03d872a0a5c68a94e3736e8fc4292b0
SHA1 d2abefbbcdf5c3eb6316ed36d8533cdf42fc65fa
SHA256 e094f139be44ae67dae7af45364f37d3d4be337254de77b3aef728a5d37423e6
SHA512 f6f120e65db036fd2886e1ff9a3e5069908c2f68872aafb93b902ca14d12ecb4aca1d1ae30aad4181855c7a4188caa8155a7c8258c21edd7e060624b2d671c83

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 dc33f0a14ca7244d9a4421c047289e0b
SHA1 691d35766306ba1bf99e5a11804eab984d21f847
SHA256 d57a9f3b3d79f8409027f6400357c772f3651fe1ab02d3969ecfaf919d9b4f68
SHA512 039436fb9d3a5d0aa8db75553acfa68c0f03c240d7c39296b8561ca594b9f6cd65992f45935052ef6d822031ce18a248b7fe1c244c9c7673deadf7bc12371e19

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 572c19222ae29064a21155fbd6844160
SHA1 8bbbebaabb0060ef773b075cbd8d5bd169ec2ddc
SHA256 cb64993853e1c8b3633fe2c0454cedf9499c19eede8c0b0ed509636a7d9aabef
SHA512 095c120c06320098fc57751907c39db607900a4f49ae4a898ebd419341310ad69dcf8d94174c037ce09fbaa766ad050f311d470f9304f598998ec9e98e879a3f

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 ab8ff2c111d18b31ff610dcadc65dc92
SHA1 0b635c0f859ea5c0b077ff64e00e2d01daf48b2b
SHA256 637812604eb53acb87d3682c7fdf284be14ccd13266e709cbed9f45f8ff90390
SHA512 6ca7159bcf468803a4a87a7f765f46285375a5129cd53faf209dae7e8f1d9d1645f9386d947de186300304b06759e8e897c82912afc9f698e2ee7633ed1cf164

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 8e4ed313bfb38a6a03f5a68cabaf251d
SHA1 416223f799fba793165abef5e6f1e7fd76363305
SHA256 e8db0e0d3313eff11c1872ac3601eae483c8d2876d6bb64d7d9a9861f350504f
SHA512 433398dcf81c008e7c7a6723a20dcb401ac981dc562ebaa9fa0eade2cd689490a1fcaeb6e016a577856c8660098e43c9bc857f8679b789ce6a80c24a5edb9183

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 4c8f770010624d09d187600bd7618787
SHA1 1f709d33b2de6adce90fba4999195f6c7aa9b186
SHA256 9d9775ebaaaf790d255def342a6a9acb1d12a2b0d7306dd66467238d2720fbbb
SHA512 6a9c83b1d6c383f7468456d380811707bd15332665c8392a5656e81c6607191f825df009a0c6f97916c2a43be38df1b02b6f2d79ddd4cedb56528dccd7e0f0f8

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 91d8616a549e0dded38f740c5938534f
SHA1 e381e1d82a3e3d9c1487992deaf161573ab9cfc9
SHA256 142cbf4e49c0b6e790792aa5e50de0aad92145e801570bfefc6dd6fb94c60160
SHA512 07f0700896e1e9c9a2a6d23f36b702a7667f5f4b444f49e4b6a35759d83b28c1f70411d043337ca34418daf42c1414c8db7278a38ede63559b8b29a34d46cf1b

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 44f84f0d5c1a610a878c30e649766b39
SHA1 39b0b2bcfda7b3cc72c1b651f59b5a55738d6798
SHA256 433942cd6c1a92ed05059a0c80d28dde62a735d3daa69d8dd6053f3e3902bb48
SHA512 b18fa4b2c7276a5941956dc185f9b7ab35601c4ce620fa7e86b75034b3444acab84324859b23c43a8a4055c515fdcc3fdd8bf24233dfb7c6438da29f0f187a8a

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 7b2e44c1ec6e3dc60fa1035ff5967ad8
SHA1 678a479f21ad968860399d7dab176fc7cdaba3e6
SHA256 2c3682996dcd54857cb59a87f847e4292913c2741a4822d2e6a9bb81e92440e5
SHA512 3f9cd00beb2608b39cd054be90a11b468c6407354772acbb8e2b6ffb396cb0067b1f0436057bcb8a72a841c830e7476cb378c925f810c998806874364b30c30a

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 197f68871dbbdc90587f264581432723
SHA1 fb93c8e5559deb6018fa70811275dddb0b966780
SHA256 d428547d8e1cecc79db0a599c6018e83ad357b9d47b2fc91fe18416689f14669
SHA512 8189c3109b4d21e192492f1422c9a04eead8a68b0aed7b91d44547b70252980651359c73f7495d80cf2db2b4236bc4549f2833f0259a32e1104ef82f5b6dfd51

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 f0df7b7a813aef246af9c6de3c7b2150
SHA1 1f4b9c14b4d1c8a9ae0f8a48272dfbe44f3df843
SHA256 8658d4ff2767913c52fe3727422f3a19fe930a8967117000e4635472b750c0c1
SHA512 325cf8dfdaa0aca557e983ad94250f8a326bfda43786f18c130d55807aa4247c55244e9453e05f6c033b982ef73f8d72412a90e7dbf8205fca10e235744dc51e

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 70b0fce4e6a2ed6f6428d9c162b0384c
SHA1 c1191c1b1ff24dd96b66c4c3a74c00e5daa0a71e
SHA256 b1057384ac2c7a9226d538f51d96aa8592d893756aa822e01bd09341344bd5e9
SHA512 cf456cd0e051060a47fb2453efacbfa42fe4aaad38ce3093a8ac37ea6eaee77c0d3a7b53452f241bc08b803faa6ae22cc9e4b75ae043e4daa58fe3a0334fb041

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 8dd44f4eaab8fd31edb1b0476321b478
SHA1 89849e9e57d45503c040f27be9ada4644f678b7c
SHA256 d08b4628318c6dd0676bce9a66e82576ceaa538e08c56542a47aee6d360f8708
SHA512 96fbd664eeea2f7eeced925801e916fda2129bf7bed0e923b538bc849bfe71d7d9cb8b4c21fb3fe372b651130fd89bdb277075fc9c99b77061b9bdd9ded31bf2

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 22db028553bb18d175cfdd8f35cd2d1b
SHA1 530e4cb689a2856e02e58467cfcc652df961ec16
SHA256 e5554153a783a0000a5ddeb90fa4ce8c487825ae6a3f607b1b927bfd83b97d8b
SHA512 c1c69975f486ed0eed85473b789de1c890992cbcca149aa3e657c948e7406561e9cfa611d2461edac3e2ffc0074cd6e2f45c4fc9fd4843272328589065357ac9

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 4d44c6aae7aaf634fc38596fe92f538b
SHA1 0f1b44f8d3b91dff7c8cb71af53b062327c8acad
SHA256 6ad665ab429abf635fbd7d473eb742ad7248618d237172a769e80680e39b097a
SHA512 97772446179dd7aafaabd19c56fad92d23f73398368019dac77ac30397bc519ce316d576c758453846746e679510f05a4997872508fcae40e053a5d868aacec1

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 e6e5ab809ef604930838462e9fa36fa2
SHA1 247450e768c1a91b14ff9ecb13961adef043a625
SHA256 825c851a0734aa00428df92c7086c5055c0d9ee8f3bb8d3453015a3294f37be5
SHA512 792d331372f48ef9664bda1bb86fdef240d7143d20a901c5b387ee139a720abea2e12a2f7130c98f5edb2948899c4dfea0cf49ec93610aa190197f02e5d1b1c5

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 54203027438904ae37d8b4620b2e1098
SHA1 58969adc21f1de2bba4609415c1ef823ab23bd3e
SHA256 8ae9d7a6a9b792bb0309a68ae76493de65ba9a835fdb56b6b012a4ed45dc1045
SHA512 8209ace441ff65e58bdef49555c5d91035a203a33414e5641027e28e1349619f9cb01fd725b47c5c3e23ceef590c0ca0b5231bbbd4ccc556b0b5da88cdf35b3b

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 0a9ed8133aa93f732a231e0d782ef359
SHA1 82ab3ed97937c0ef92c9ae9d15eaf68a911f2e4b
SHA256 2e0ac11cda9c6177e1fcd62a7d0b376cdd0ba05bbdb79bee13ca5b89dadf5bee
SHA512 433592a1565197b2942ce5d7f197bc078d6794e3d6c681029f79b907d10adfc278818963841cdbec860598f5d9d48dbcf295da8d9c00b45d38fa8103eab0549d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 8c1cd5ca2d7b86ad5a04bb09abf27495
SHA1 b4599258abf4c27e1d741b490104616debb55f62
SHA256 49d5a6570059e4436cc08ec15ac1b2a7cb3087c52f717720c0414a728dad4976
SHA512 44180681affe967e9631ebea13c2fabe943ed55f56aaae2c74f0508425a57d02c5ae63d14878debe1285c15eb75fc444d47162f55d6f71a2b4af8343cfa5a146

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 1e2304fc1d22dc4fd578b22f97a9d665
SHA1 2910a289e44a83a380d8254cd537b33ea0ec7aaf
SHA256 0485adc5509b61a95a5f72e6090ca5689a5053a6886d27b29c683c4643601bb0
SHA512 152dd26fa665040563de3773ca924a42a8aebbed7ab4292aa309fe58d63b9a80fc84ac3b00f20ef7df30025176bd2de176653c4a41a0fbf3d3f12f1747490c34

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 b2e8541e2838d48e84370fa1c7771aeb
SHA1 8931a7f0c7223b02edc67205309084a287dac596
SHA256 742252b06917808858ba477959ac42f58a90d612cc6b160b4021034fc399bff8
SHA512 656ab9a1675c1587e1bfc37b94c34bdfcf09e6defd321bccb0bfc7df42e8e2f68f271f5012224af51386ec5f7df0c7d530c5a14f6efc7d8f46bbc6f1257cec24

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 f22e5cb120b50c2a5c2f1cf776245098
SHA1 73daf004d35d1ed082f38e102b0f4755ce96727c
SHA256 6bff42795968a4028559c19efdb369f2738fe19efd2201e0d4b3b0dd8f13796f
SHA512 bf2b04af29e3b2e1cfb01ab3ada4a3192336df422e458b7d5ad412ff98e3428b0919448d01f55300c67b379f7e00f8292be1d4f103da5e5c2b0fcf040659069e

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 30da26ee485b22b53299ae5bf3847aa3
SHA1 734a8e2256a89708d80098783e81b0cd3c03ab19
SHA256 248b4b8c9567dd9b35d320cf063056f99c352755b4f9ae73b44efec826980b08
SHA512 227f61b7f0c6eeb0ddc4c272c185eb3f7482c6ca5c435be3e2ab261cc4f28703afd5a8873c40da1b47497d7841387d72d7c410e904746a94726a6ae181902251

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 dfeea52683f46e00ba745a2cb93ffc69
SHA1 a54af2f73feeb542502fd84b13f11cd52207ee51
SHA256 bf3f06af61f07a19c3d24d6c5936c846ad9ee51331db2877bd1726cccbab2489
SHA512 16a8230a155e8203996d5815fd37f7364a323acff754a8182c031f9d7d75b0a3ef83def306f88c989609b586af0caadf27d06112e995ea2de9e125cd9c3db98d

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 695cee45377c1f42db3d9a622751d718
SHA1 ffdcd36a09f189d7fa1b3ef078fef96d709d5932
SHA256 dabe30e21fd3827f0602ca157d5fe52d77af69bdab35948cfa224143a733973c
SHA512 03da2243ccde7cbd417ab8e8b74c1a362b0152265d631e61867dfae0a0f1ae3beeb569453fefb037b5f35917aa55b02b7ed819357c04e74c76d31beae25ece98

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 3af0cedcb6fc9339931ff381e510782f
SHA1 2d6fb4f796e450148d6773b16968b3089bbe49a3
SHA256 98aa6dfab0ede7f924fda2165c5fb17cd37ebb52565a868b85d900d559058590
SHA512 fad06f3ac779f5c5444dbf0a1b7419a226716a19a98df2cc1e51c8ccf82784e5546edc809607c1058735fdd764d8b9f18c4429514f8963b8abcccb2e5fc50f57

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 634d92618af232d91d1ef772c9076156
SHA1 c9a2ffab1c4de44a63f38a85e107e18a668d3b21
SHA256 3dacfccccaab206185a45bb523c0038d64d98f53d149ee45cbd0bc3ec4b21ea8
SHA512 1674efbbc0b2a9693b13281b32cff2297dbc40a1609e429b6a8cd2b2e51fce485fbcd7fb6840c29bd1c4e9024d13950dba731d4d3593c95ae11d22b6ba71e6d7

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 ed295583b7051e63a7d47ba7f7fcf3a7
SHA1 333e512ab128fdf8674c39707bbff392c3bdddf1
SHA256 8131c440c0dd2d1ff155a082994cd07961772cb6872e0e5c178c6787040de018
SHA512 bfe41f38d16c8967ffd247af938be42f7cb77fa6788e76e22cc835acff5b24f75fa034a004e50ac34b4f31c2651e9542554d63238528dd3c67ece62494593a0f

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 4ba441b6221c8a3f30bb8dc0e0d9bff0
SHA1 cf56ca58971af69ff3bea07ffcf44394974aeb67
SHA256 58b146b711b184624a0c02703e3b02a4b4a624a7f503a78e2599c259716dd948
SHA512 727a44a8ed4ad12a4907a5ec6b7dd1e3a8211e84e7c31670b399c410da3a4f0ea4fb452136d7bd8df2ac23065993814f0e7fe18e5d2ce2ea567d089f35f4beda

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 3a5fc3636a6b2cfbc00c33b92011aa29
SHA1 a9bc1ec1f0c58498e823d601dd4e5ee9edfc5160
SHA256 36ab3b9c1de879d7b51069d0f806f1b02a3e53563598af979817355eea36de43
SHA512 76596df6feab83754b8dbb25a5aa83455595055a549b786b8c9691899223848dcf2f75a4bc8a22444db0a21acd67e0d0447547eecb5dff74fca443c6e6d43315

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 09b97674384069c562318fb5b917087d
SHA1 23ecd987d580cf96a7ce7165d15c0cc9f9d84775
SHA256 f61ae449246a49492515af4bba914956bf4c832259a6f7c4df954e5d230cb771
SHA512 b9f3f69d587917b998510b69cc21db3f5f78e92fa252f5e660d9f3d87b5526b6d9336e6224b529eda982a76b2ca7303d674c20dac6f7b461aa0c9adf3085b36b

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 91e578f0947673cf9d019d747de2179c
SHA1 b16b5b54df2ddaaa60a5dcf3f5843ecafde71561
SHA256 d98affbb3fde5fb05ee86ddf76d34d196476090973449e390f4184af1f7ca396
SHA512 ce8cb3ffc503b745d941ee72a7c7a78d7ba3530cb258fcb5b6437ac2149b80d442aab9b819bef944a03f6f58b8f95ffa8465f665a358f64fce9fc59a05247ea9

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 af7fed29b7a435971dff01ac59fe1966
SHA1 eb92349d64284532e97f614e93e9e2cb419ef82a
SHA256 f1203d79809ce90e44957f8e087004502797cdb4a146e67deab006b224225090
SHA512 947a6605f759edc4b85c5f27b85689f932294032a4ae86abf210fcc4b7bc06b43934f234d843e408a89cd8e8dd1abcf126a68e03f607659fb7b94b0ac2556da2

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 ed20702a796d8cd08e7485c8a8bbf692
SHA1 e81284093699c69ee3df9fb81d14cd48f7c137a0
SHA256 df4aad31088bdac1545f4f9fd806e083f1c83300de7f1c2c7b9585d9dfa56dab
SHA512 34bf00a34df186cf35f9b879626daa08eef33c0e13d1b7dd222da2d691ad931a312cba74617199a7ea8e822d76e1c65dc4c7f7c00e264cea83ed4efb688a54b2

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 49ccea00ecf581442d3fe67bfe4ceee3
SHA1 ef6209aec293b75d72e183e9ac122e7ab72d25d2
SHA256 f080749109fa9a8475d72f7c07ce46c5ecaf04a1a0b1061cace729eb9145b1b0
SHA512 cab9ec6240c268df68ae05b586929c5769c3c09e494dade320944e9fc8b36296345dbe4ce066dbafd345babc40ffa02c2513916749ab60c10a17362943372bc2

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp

MD5 dbb77867be5fa815c93bdd50024a7c6e
SHA1 309056a9c30d68366d7de97b685c27ae2f850b79
SHA256 e035828a7c1f86d22643de679e2b9f7940c6fbfad92f37d34b3e24f8cf334522
SHA512 df085e450c495878b442078a5075d09628d4359e077b7a7b32657db7de73513e9174b9331a32c20b3b823deeb72087eac04e426bd543c0dd37b384053105180c