Malware Analysis Report

2024-09-23 05:06

Sample ID 240613-fdc38sybln
Target 5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe
SHA256 81e49c38d8eced5bc7399cf17d5f5b5a93ac5aee267cacccfedd51e17222c5b7
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

81e49c38d8eced5bc7399cf17d5f5b5a93ac5aee267cacccfedd51e17222c5b7

Threat Level: Likely malicious

The file 5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4790) files with added filename extension

Renames multiple (776) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:45

Reported

2024-06-13 04:47

Platform

win7-20240611-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe"

Signatures

Renames multiple (776) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\networkinspection.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe
PID 2916 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2916 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2916 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2916 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe

"_Get-VisualStudioInstallerHealth.ps1.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe

MD5 dced22d476bb064fb27028b78be8f991
SHA1 2b87ae700aa4f921fb8066a3603be392d3b64c14
SHA256 2bf192acfaa418cf025239b94064853d0103a8a3b409895b29f3a846f8b3d8ad
SHA512 5a32da24de410c59598d4e53e2be400dad27eae32dfe9af02a40560f1ba3e6942731bfec6e64e4e53acdf6888db31738b07c9713a40de3e4395af714e7425b4a

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 8ae363f870ede4f121dde824848f59ec
SHA1 1517a427b325a641a38121be87a23774ba25239c
SHA256 8a50f78b724bc04d079a6d8ae33841e0599a255ef4eb7766d01f8d3fc9f8f8e4
SHA512 6ddf71af042724544d909de6fff060186f356a94d0722e0ceb4f4cddbf12a8ea42152da82445c316a3260ac328375f58ad7ab4e5fecf85094c4e768cd03286e7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 265194f9f106c9a715147178967b1e83
SHA1 39b72e90f6920172db179fdeba153461bd0f2590
SHA256 7c8a89a059a411b6950ca2ec19f4d644b26cdfb14f473d950e594599623f2d46
SHA512 d2fdb1601f07e9cad9d05d96a3f0d2fd079845f62bd2163f78c5ffefa27c847fc73df0932d93fcb365edb733ca29b429857f57a1d4fa9ecc5f094dc1f987bf8a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 3257e001fdf938984550eb130fb48d95
SHA1 6bd22abfe09c3d59505a826f59c3b88f96d4de32
SHA256 01296bc50346f081419a2843de843da90778748f6329197f17d48fbc700b11c8
SHA512 d006e5553234de634b14b5e3ff21dd1ff14cc549f8291aecd503bbf57f241c99bf31600abb01097ed449199f77299f7ff48dfedb3e55ce5da3e0e60732f51036

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7f829c9e210dae85bab8b427df20edf8
SHA1 dc11d300eb5bed717456247b074717b575834ab6
SHA256 aae729639d5495d3b74023a09d8f6d9598a2cd34b934cf7022d9ebe36ce6d2ef
SHA512 ce30b21dfb940669fdcb9120bbc6e28fed50be2f1d6b39451d2bb529a25ac543c79fe6796d57169f6269f7d08207e53167282e666321c67f13c4ca464971e671

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 734b46fafd41267efb0f44980da9717c
SHA1 be8a120067bdbd88f4bdc7384f3b8a4f3933e4d8
SHA256 1fcdb0cf7ec64da772603c966c0788d8abaee325f4f5a0158840aa3213b23836
SHA512 d2011dcd4defccb6e697665925719b51e105da5f29ea155b4f608198d1b6b976e0aace969345ceb8919c0184baca5f7d4e32f44cb065c054feec23b83ecbf154

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 1cf7e91befbbfc0efb3cab1a572c9e70
SHA1 9ea5796c5c22a30678ec1e91e80e425f37dc2c69
SHA256 82780aa8096c6354bd3ca701ff2b33e51fef34788b97d887157663c83352421e
SHA512 2b89f42b8b60a421aeb93b4ec78861847e2b619b24fd413bac3793f7485383aa85f763bd8d5b49353efa699cf35230a3208d873d4642045e93d6de2df3425d40

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 a90c4e0ae69257653f21dd56e7bd1c44
SHA1 545411b1c2917e49658973400cc1d137f209fd01
SHA256 2f6302a9116740ccfb00670ab41a7a66e298331419b79a0d7bf8f3b551d43761
SHA512 dbffda0d05212b7ca9472a745d1ada690c8eaf5837a70e16b8f3f925876d574c9da19d20c90d1109f1113cbff8c6201a71b6fde65174ac43e9b887ff2f61009a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 5fa138e960dddcc0b1c8d92fcc6c4111
SHA1 28ae226c6dd1b4ebf40b73e12dfddd356269a527
SHA256 801bc492c645715e3c72a9b02a9720395b58314d8b5114438f258c7078cbbc7d
SHA512 f9eebdfdac5062eb580d414b8f8981f112c91cc434e63fd3a4486368d47b5a48c03a7e65ca9a800076e052b0b0464278a171347eb2a9c70da45f38c3a6b7a7e6

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 a9dae97889a501efbf6e73e39e745d02
SHA1 88d5ee0efa4abe17877dc67cb3a1636829a9bfd7
SHA256 3cb38cf3380c89fe18feee6b0aa504f53b075a48d6e03e34b509cf8006385936
SHA512 d83818f3601e2aa9daf2d4a25fbe5c0ed6b368ef004bcf0039408c26dc1c5c97f1728dc4f44fc775e910b6e0f778c819f39be992e035e3678503688c0621125e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 eb4ba2b017c2b4940a07aa34dc1c894c
SHA1 1cf5a0e45ca2d02cb6ba8b51e12393fb0a8eae97
SHA256 deda57f6c5ab4ad0f5c83145135cc5fcafd7ae0bcccaed437ef0249802ca8613
SHA512 3363b42bc0eec9d42beacf76105135dabad0bb92ce834ab840b496e27550f6920e8f1859d83a473b2daf0fc32be352af59c5e9da99e3fea9686aa858375985eb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 1ca281baf313074c42497878c1ae5597
SHA1 738e052eb11981f1fe791a8999f1699efa38f7bf
SHA256 b2b16e0383354ff5bdc0e01e565b49f79015afa3f9bb8429f2643d25924c4015
SHA512 36fc863143664fe9ae525c2d75b3e03b1646a9bda8763a6b106deba9cfa8901fd50faa03eec2217c17c91eff4aa530e8352cc6eb9d38c0147bb8579bf4da1e15

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 e7646b5c3067baddfe30cdf1f723c25f
SHA1 7e11dc4d07475b1da8a869d2f325f51235901c69
SHA256 4c649492ba2c2b224f1a78faee0941a1f9d25ae91d54bc8529c9a3284fa98be2
SHA512 18beb70a17299e86240f256a3c23346916044189eb4bcea90209f289d0340845b800166292897a244ecf50948abfa196687156b0e9f909eb8e56498b6fb45edc

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 9966866224eca0f331b01a4c7df25578
SHA1 6dc051e8e14c32b05612675a1e43bbf3ed46366c
SHA256 911fe0fd89ccbe414565fc4f4fef5ebede4d77b85c9f448c932794987b89a026
SHA512 12a4a06c780d2624f1e2ef922e30b90e6c38aad0a9473b389e23ecf2cbd94ccf65055e889d8df031e8d01dbb0e1f1e86dbb1f6193feaf9a7892522d4b7c25e98

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 48f0e9e784ce0c3cd1f387e47d56bf5c
SHA1 4c141df17d7b5d4b33763698c02d07197b34b53f
SHA256 78ba218c190a92dec311acefe6b9615925bf162f1433f061ab20b3ef71c1ddf3
SHA512 1092969dc618c7c71e0ce563634b3600c6475ba86cf3941dba52350ea1b589472f15e673140cefad074c76c686356db8e374b160751403e3b4c74dca35ec8363

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 fd64261454a9a1a9701db2fe734ea2a6
SHA1 024e7113d862bb96672232dfe068c1009cdebe66
SHA256 6f5655a93a0b48d42bc373e20f04d525598330bf43bd04d9afddfb5ac6807e69
SHA512 18521aadba7213b287482c85b27a3db7ce3f9cf81811904577c2cc3491ce2878e0859c16d88041ef52d4c366e712e874ec4dc183a04cf6c32080e3f3498239aa

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 9e6d9ec1d58d70ae5a80f566dedc736d
SHA1 de24ac6c4311144d6a912a0355f05d483f0fc10f
SHA256 cfbf5d359ae1a25003cfb9eec08773eb55fc3665a497962975a80a2b663061ea
SHA512 6290ee11d08430e5b03b7f9a1f3888191d579224a887cae399c9532648b53efb3f75d78dd595d0070d97d7601b6da0b0f334e50f5a9125f3f12da7865be891a9

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 413ab84b232f98c3ab16ceaac56d4380
SHA1 7e3932534275dd5715b68904640183e201fe182d
SHA256 a5bb0c1861b1dfcc2f55ee1d72433bb8ad540100a40176dac69bc7358bdda22a
SHA512 f5831cf00d0a6942c64fe36c05a37e8cd2e0b5453bab98defa0f1ea241d56116a667228d28b1153d92fac2d5c97ddf80b6a512e01aa4122d19a2aad8f1af778a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 9461de89e9402453d2aee3e850bb0c64
SHA1 a20f23d31c148be2e694ea980b6a1b2a26bfef53
SHA256 b649042126ae7021984895c2ce468cd0fd8d4538bf93ea14f98da2b81ae8a061
SHA512 9322ff187ac1366dbef8965a60010453881d563d032ce76e3cfa93d3717c072a693a41604977ac4e8a9f6ab417ce8e85581b6e2699071bcd26f8150a61c9f1e0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 774542301ef04eed6c97573a9dd064e8
SHA1 f6e66a65c91014438f7be50982e192413a37a6a8
SHA256 4084aca0dd3a6872fd5616193be85347ede20e0434d0235257a9469ca3146fa5
SHA512 e8803296ef7a562f445f771eb36c725137c45140198921be60bb8fd8b1ed87066b2b444fee8aac88b1047e752d6c1d82a5d9cd4f3936119b2fdfca0c6144512d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 6cec38d1d280538cda0c1c66103d86de
SHA1 142f97639d4a6959a03a3ef9bd73a4d75a8cc65d
SHA256 61e1e909d2ee789532a791d7e1adb8389f30e8d7fd3d9bd7d1821a7c285c3e08
SHA512 249ed555889d3670295357f277862f440162ef1bf0508797166acf9e906dfd16c754dac16df1eb5ac75a1696cc5299ae911739a1c4daa4ce22eeddb15377b932

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 47a42b693b33f7f10508bf63ff8b9292
SHA1 9feec10f0dacc6d8fc4921de92f0f8d6478afb95
SHA256 b58b6363e748ecba16210af3f23c3e5f4675f0cb74edef6550ff0c9b38df8c2b
SHA512 9026c840dd5aaf1da31b3133bf1fba00a63a61b5cac10fa38b303f0632a45fa8372bc8322e962fca4d8a014968baa731bfe457380bee6234bc7f22184cbe8967

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 8be62712ac6d04ea22dffcc0b4662f00
SHA1 c3d62d112e73648cabc8cb80a422c0ecc30532c4
SHA256 3518294b871c8757e8623caf9498e55d579ab2b1a722fa604f59302ee81aadee
SHA512 02099bdda63e6b687eaf99df64b781a57d2b9fca39dc9516dc6b0a5805a292fd37df252a4a16cebed88dce6feb317aa2ef123ceeacfeab23134a22c94cfa81fd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 1f8942c6b2c2a6be51da60196a7d459c
SHA1 4a74f744d89ecccf2823b41b726f55f5f9515aad
SHA256 f362bddd02f2ce6531bfbe64eb106c9532227ee00463bbe099050619dab538e7
SHA512 8bf68543f7e907df9beb8ff956719ae0de779977b89b8a19804b9898b89f2f8783e96e4a2f86779ad10a2e28c89e5714843e5bf73e1ea0e48b58bcea90bd2b67

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 ce7facdec5950fe4bbb23192afd14834
SHA1 277a2493de220270fe3612fcd61abf06e76ad2e4
SHA256 666ef567522826eb539af0da61d5138770df845e59261fa51511d20d083593af
SHA512 897347a710c61fbaa2cb7c5685678986e93f13eec669c74003e4f081360ac5583628d4f974faf8f1ed349eb9cbb2b694d98e23de61cae9391ed29ad07aad4f31

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 dae2135a0ebe5199f4807f716dfd55a7
SHA1 3f273ca8013c7f62aa5434370a36179c11249cd9
SHA256 cdb6adf9d5185830e6904154caed47f0e4aae32f949349c4f0cc29df0eb900ad
SHA512 ee752df0417d6e9a2540def3487f09cd0b3b964adab816a1dc4ef7065f74f7d32503676e4eb40ac9155907ffe5f8e82833bf015bbf209ddec5613c34a7ebc8e5

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 dd305a72fea96d316a549b78c21c235f
SHA1 e46a2b45cd0ca57829171ef435cd63c5596c4581
SHA256 5aa5cce191588a63c675701e50690e5a926bcdd38b073caae57df561096e978c
SHA512 ef5246d936286567437b3833043a008657767c27561eeb01c361bfbbcfa728a5140792e44cae45533065381ff7d10eee072ba09a4cd4d3c33e761f69b1bc9e91

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 36137636106d837e2ea11d865cb3b6e0
SHA1 97e1c0b27f5622e4a92bf1529531a5c6caadc50a
SHA256 7088326027985132a529001b9f648fe8a3874540fe6e1b269c82385e3aee6733
SHA512 e7c1970a43ccdf462b77972baed1e813094c972431fda682282e601f04f918f06e08e13da2a23764a7b946949c34b78379425818f5c9b58544164cee989f9d18

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 a9870fa2b87c85079a5876943efc4759
SHA1 f99b4f21bf01eb8fa142232e9455d83506af4a23
SHA256 b89787f5205f899f15748d13f22f370f3a9c036956db073532c65a9f327c47b7
SHA512 9c6fed15edffe000e0d1b45c6920418f87ce2e0f1ea66f800ff64b87fc238c4d0ab349e17b54baadd1c1d8e3a4f969ba648589d366adb0caeeb72030081a4e36

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0c4e86271a549b181d2af46bfb946a0f
SHA1 7e3c800e59b9ec54b3dd613eb6afe87a0324d822
SHA256 0e68da0bfbe36d09eae79bd0315bd187b5809e1ed35f8d331b26761a506229fc
SHA512 ed90fa8ab07fc306b90e36456c9d360d5e07e722ecacb81d4dd7609b8afcb9306b048a57f8a2854419cad3d936981305981da929f9252d631192202587ceb6d7

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 ec7ca206bec1dcbc302f86e28d8a7064
SHA1 2a2a609e62b4b7cd6816db1f7bd538b67e20dcf3
SHA256 539190ffa2c61536aae360ae99be8f21cdeb85c40e665bf747c219416b5555ff
SHA512 465ef8ffcc54a9d0455b4154be8cead441d66a8449fcda5813c20c7c4efbcece5bbfa8ce13a1320f2346764ef518851ae92e0e3ce7a3c6c5efa389abaea63e82

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 70e20f94bedc346afef3f678f6c8176d
SHA1 160940ddda9ce5e282dd7c16ccd125e4f9a3e1ca
SHA256 d1fa28b5f426b8a7973dc43ef070b55907daad7d8f66a4e7f2f7c09c5b8e8c01
SHA512 690823c00623beea2f71c62bd1e644953413c08e176fd9b4d7231ba62ef36047ea626ecace18188a00c0e72ecc1eb79a795b0bf0683bb604599e0ef7ecfaebca

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 327e4fe17a297123b1713c8556ba35d7
SHA1 8b156895efff66dfc3711cc9a2a9d8328a50e46d
SHA256 4142dd834cf527dab7fbde3246e4ad833c717622a6c5343bd6dd98089f1cf882
SHA512 5dc38eefe83d712745443319de5133a5c39c882e877a8515191e08ec380b92b5ec696d81132ec87013e35a94adb0b3a3138f2a00b6d96c07977a4df100836ad5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 0beb50dadb8afc51e178ae7fe2739de8
SHA1 7d7e8e9463dd77205c3504ca1697bcdb02cfb963
SHA256 8fd5989dc77a2841cffd5c59452f2327dc04dc940b1e99497f3030c4bef91de2
SHA512 dc549efc97789496d088a30b896242e2f674fec2568d0ba0f5c7271bebff232412a3165d52dff4a49fe0739af29019e48292ae2c45942ebf8af77ff51462fb1a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 ffdcd55a48930d6e42f21ce89dc50dbd
SHA1 2722f6e6df5caa83e5b9d8c0301b915781e6135f
SHA256 5b5a81f559520391471dba4783444bfc96ff62783fc0770fb6b6b65c0dbe1547
SHA512 c251cec1c0f502e013344d864fd32eb8aa4e5620793173abbbc393707d89057f92f968a269948b847b4a505137b5608d37dd3cd69426fc03ef3e611966c3cf69

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 ff21e10e9d8a4f7a72acefbe40be725f
SHA1 4dbadc2e03a03d940576fe70a42325b831f1849d
SHA256 ee302b8357395d7a2736cb1687bd8fe96bb93c1c6d2e0fe0936a9015aa19a19a
SHA512 715048c7da6d73fb788a35d67302ac1927a4b851d74071ce06c930b744a49fdb0405baa7eb5591e5ed6d68bc4dc6923daa474ee878fecdf542b5ac8aa3cef931

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 07c20c5b5d1073e2a6ce0a7858fdb02f
SHA1 37704133ad26ee275247b70b3cb94ed1e8201e18
SHA256 cefd2cc00858ffe36c4e3d14e621928be6141629b90fdc6c3be5f6654fb9fcbb
SHA512 0eef891445e06642b4ac148ed278f6a0610210046a0011c0e9d5f8d956cc848d9f31162fc5c36dc0ce6b7d60ff62073f5398caac6a0abb9e7bf8f154d069010c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 49a3e67e94005a993f9a5414ce1bc3bb
SHA1 33cfa1b191b3abca020b299aabfc6c8cd5bb8095
SHA256 562b5ce797d2ba85fdeae567d76f31e7822e141064073058d1259b559abe36bd
SHA512 a9ed84a091fa3ca45d6ab4f5a4d1988a6d70199cee009eb0524f0c3235510677243e43bb4e4c41a351e4c55125138bffc940f343df1b73df74f81781e764e46b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 c4d5002c0d6820c616e090e89f1c9311
SHA1 ebc5c31ff1b41fe60fe10514ce6033624f318765
SHA256 c2b840a068ca49a5e12caebdcd5f0cae1bb7d75c0b267fab6a0273419a27fe29
SHA512 f523f3c73ed752921fa4576540e7f2ef0b19df9c759a4a3ef8799f4984667a304954fe3faab3c2d57d6bbd118a156fa3f022d5aaf1bb90ddfc9d5ce9e98f47cd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 be075f695ba709c0c7cb7fa032d5728d
SHA1 58eb9756a991834acb8ee1b5561e97938d1cd741
SHA256 e71d55f61025d037bc76832278eaf6ea1f432571a6d9d00364a2aa9fe9cd7634
SHA512 9cbca4819a716c989d3ced9d63bf3335ddf278e4eb3d46edbcd22034e6083e479ce7533da7bc666c3accdfeb93bc3194e0b83f87567087a567b98171433ba432

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 46e3641ddd1a101e6a1398ce8296b337
SHA1 6a5e95c28ff70d0e9a8e14e2bd470c0990655fa3
SHA256 01717a023be3a651d90de04666737a05bcdb63e35ff906177e9a393fdc8bb06d
SHA512 86bd0353efd68d9cf35f1fa232fd02b0eef58086feaf2cfbeda0946c7cac069d82d2c1b98c0bf3c93993ea968da99681c2f5fd91bc3139b508ed2071bbfb1c3b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 c1f8052b35489dae2e781e85a8f66fd2
SHA1 24393eafec80a9f010c95de32bf1bd83facb04f9
SHA256 a58746cabe195951c3168c89e2b9c0f9aa5463c9f04b0f97fa01b987ef975c40
SHA512 748cebb8eeee4d165e6eebca0e3702debe60de1ddc45cd04ab92c886af4bdc380371b57bd3e87f7ffc2596e48d853406d28096d4d61f7ac06546c2d028260866

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 cc855d39f5ed525d41f45c4d9063abe9
SHA1 4fc21f57310bb44bec0b5f8e8500c8a0173b5dff
SHA256 f8ef29c946d661e0a0c6696126426750fb21cb2d9e45849942f052bac96d9867
SHA512 b3cee25981a9d8638d93bf80b4edeef2ad22f36032381dc2f0eec84496786e38de1d952658ed2330e61219ddc6862c5498c5f5aae4df19d051a94a378ab52195

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 204a3eb32edaec84f673ead2c774948f
SHA1 df6b09e3e4937c89283bc7a68699ce7ce00da85e
SHA256 730741a2d5432bf6ccee4b978543144c39849bfcd7f440010e8dc45d39ea60ff
SHA512 8d2042a5d8d9efaa3e256a93d8ec67bb2340b873f2d62f8f05a76a57f4f6743f50ad7782d518f365c861437b58cdadedd86a0149d8c851d94ae216b1364d27c4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 a238edc69d8692f0d6d1bb84843c5451
SHA1 8c4c38bf1c08d4715d62304bbba143e535e60623
SHA256 6ae0e88cdb9dfee36e365063f7557280350a040fa413d73937e34ebf6ef04067
SHA512 97191fb4aa7c43a405205d03ab26ea9c08a398c9c34a7c8f4879a9803549904986c48760987636fd916387ba8843bc3831e5fc8b028b377d73aa612bd07a9649

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 03b3f8e6be60c3cd30940f4e2ccb4f5e
SHA1 71cae6de6819b9a9c49a2efc3e248ccc84f15338
SHA256 c5e5e998294d401ca240e7ff98ceae0ecbaa5ee6cb26db07a99e2ec2697565aa
SHA512 c7e1dba836432c08011ee035a333e785c8588892fbce8d7a5992cc9a587f5c540625fd4c315f71f50a93b05523933d8c88a76ab8896757159b2e402cb17a2e0e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 127cd27552aeff06e4be35735cb9181e
SHA1 55bd0ea2b24a9162fb12dcc227146b28ab319bac
SHA256 757269ecc62ad282329c9df1b65da1eb9b344b599c667d3c214bbb8e7fd75bf8
SHA512 cc98161f6f945a61791fb0d8cc3321591ecffc25ad67dc3cc90e073c42af2a5850b59c122bb5017a0c643701ed46d0dbb738097c6175c3e5c1731ecf5dad1c93

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 fc3efcf7a03fc9d56d9e955bee201221
SHA1 6bd75c4efcaf8e759b4a636aea9869c3978ad0e8
SHA256 0e96e8e95da6cc440348609b85e1c62f92d3b849826e04f5ee0034e1739b6388
SHA512 e31bd1803e23589654d129d1f1e5ac5e6c17baa01417e142dcdced2a963e163fe2b52687ee819a0527733a3a2cdd60d4f42d8d952977920b85344945a3a4084f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 4c274458f209ff2e1bfd1c4866771bc3
SHA1 d8f8f1a35effc1ab11089920b10d4035558c1739
SHA256 27074c4cd3c248704f2aec855282e2e3b10c39e591514a82b85029a03deff7fd
SHA512 c5c7e8c817709cf1be8410468ce89b6f2e96d78da710aed3cd7e63a07266ef84fab28b1ad86c7464700c26921d8450fca6758ce51cb77688ff7645152693c906

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 1c6416df13e78cbe969f63af6d485300
SHA1 11ad4c6466ea8619e766414b4454f7a96dd9e57c
SHA256 e714d07c46967dfcdd1dc39663a55670ba1a9f810d805d6ca5e84643a0c29223
SHA512 b71546ca2ed9d13fecef0ae7dfd4ba1a94be844d2b3e0f01ba98a222442ed38ce63f32b74bf2a372f4ed69c5cd92296a2b7db1e83111a23be245dfb9c3b7bbf0

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 40756bd8786cf9c672cc9be5fbf285bf
SHA1 0c64e58395287757b238ed73aa5a5537a1f5862a
SHA256 f7e128dd31d72f7ba3ded283f2b3388218818329bbfc7b842397c9e7b2d24900
SHA512 73325025bee2f391ecbd9b47ebc6eb16cace84a0a20e0f224ad6956aad789c9ee8f61cbda505e02bfd438e302c641127b1808bce24e1d25564a764c0751ccbae

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:45

Reported

2024-06-13 04:47

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe"

Signatures

Renames multiple (4790) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\release.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5f76667bd99c9aae7919aee0b5050880_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe

"_Get-VisualStudioInstallerHealth.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_Get-VisualStudioInstallerHealth.ps1.exe

MD5 dced22d476bb064fb27028b78be8f991
SHA1 2b87ae700aa4f921fb8066a3603be392d3b64c14
SHA256 2bf192acfaa418cf025239b94064853d0103a8a3b409895b29f3a846f8b3d8ad
SHA512 5a32da24de410c59598d4e53e2be400dad27eae32dfe9af02a40560f1ba3e6942731bfec6e64e4e53acdf6888db31738b07c9713a40de3e4395af714e7425b4a

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.tmp

MD5 462edc5dbb54ced02bbfaece360004f3
SHA1 851723ad5be1bf4009fa65333ebb87af371c13dd
SHA256 d584b25259e8158164539452341544b4e0798cb7e643217225275869373fb1ce
SHA512 d2ea878da4b0445b05ab6a6ec0d49b2e7d75492f358c3306713e21e83eafdb6c6b02ad1406f8cd7c681d9f5719072de66e13f4a8e5658b979676892abfe9b3ea

C:\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 992346ceee965db037515ef4b2e5aa7e
SHA1 2192bb019f35e2b12cb3142dd2894b8ddd8aae05
SHA256 60dec378070fd2c1a29ba02024362dc269f891c40a2cec9d9e3843b9fe2a68bd
SHA512 73a820a6b4ab4aa981a35b3d9824c66da183bbed9b59ebe01b853d73c607e9bc06dad158756cd6c2ece03a5a8e6a21a9683864abb508693cb32491b281563bea

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 3fd64e7232a8bfb586b573e423a691c9
SHA1 bcab4b21c79eb46849b9c50a2f6bc755ed606d02
SHA256 7961fe9d43b30f2c9be8a0d31b0918da8f1dcfdb573b55ada3e770375a6c479e
SHA512 10176ea874667a30888cad4b9253403b77c34158c56c59f608ccb9ef13128bd258419f9620e944828460f2c7966c1d02b426f1de171989a0fb42899dccf363bc

C:\Program Files\7-Zip\7z.exe.tmp

MD5 e41e1f5747a2575e5dc924124b05afd3
SHA1 11274cc4a91d3590dae792f809c26e6a2f732293
SHA256 51944a31b3e3c1a2e01c09eb62b7e85cf17ff2c6f1d3266fd33ab0e76f18c014
SHA512 108ce469931dcdd7ae6dae6b9709b0df783b96f8414413f5772d69100f68476bd523ccefd60b991ec196e8f42be97405bb421d6f5ef7347c93808eb4d03bdbe8

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 9881dfd195a89354017431c6722bbab2
SHA1 d4b92dd4284dc7a236b7730a8cf63da159193fd7
SHA256 dfd37a31a07e4606cdbd6b3169e22aa87f4b41ba0afdddde1519254213bb579c
SHA512 776075f05be66e091fe16861cf945101e0a72a549787df1257553aedecd483b94956110eeda6780b163d20f143eb2aee8aba5775fb566b6408220671b8d6c5ca

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 5969c6bbef983b65104db4c762c9c9b5
SHA1 36b4353509aa2387216ef2a22cf307f4857e9582
SHA256 8d6dab912013c77832c82418565b9217973069baac9fd588782209e2c41e343a
SHA512 557934861d5bc7670b77afb3c210aade45536657cb7b71f1916db0d1ed25a9c8398a1dcc0bde5e01890de315a89754ae8b14a0662bd6bc240283c341d359bc14

C:\Program Files\7-Zip\History.txt.tmp

MD5 81753fc4e9aa53ed0815334a7b2f42c0
SHA1 a914f560eb8305df019ba6fca0881757bdd40b93
SHA256 3d547b9717dd5c9ef9170d4cf16afdc04f26cdaf863c2b5232bd04ba6920829d
SHA512 15be4def76180efb391d1f7efca9deaf45adb9c5214bbdfdf1f61e8023eb73f514f86b13c0a3daa58ab7c39ac150210b34a3c7891d767a0ae97204e56d0b7b47

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 0a1b83dc9507aec6b127fbcd0a270853
SHA1 59e097ef95f8f2a66e769c90f4acb18775ed7c48
SHA256 779bb6f2aa8b05f95b048c0980d1ef9ac0f5e3b9680c663c002040e987743ffc
SHA512 1dabd02680f44bbc3fb437853f84ed7e1d95295305d2b6be1a6f329b408f6a82be7a257dca342457380165e569af194c5afe7231f5521b8f7b8a0036f2eaf88b

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 fdc9f8ebb6204ae8ac7ae5e378d52665
SHA1 68a8c75900db4663057e46de0f7529a280412157
SHA256 3b7b7f50d19dd0c9036cba14fb1de0df6dd0ce91ac8a740c4ed349fdbc081c07
SHA512 82b835b21ed413e287606c2a66a6b92e50976bc1e49c89f93b2a3c848c64af2cdb44eb96d9a4d12c1ccd2b68fa6da71f47fa88c6da274b250ecc21359c7b6b80

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 a0c62f7d72efac6a9b6fbc40bbc689eb
SHA1 2f7717c3da14c54f45c190c9046f3d64ef25c1d4
SHA256 e652b72a21365f018fdad9495f69da2a4cb0668cbcd59e1841f325f9aaa8e06d
SHA512 b8d9520529754162b8622673bacfbe59e5570395ad1891d061ddb87f7dc9d06c693b873d57983614519295ad17fd956acd492ac4169425c7eaec81cfb968e797

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 502cbdb660e9f95336a3e32fb3034e5a
SHA1 0515d61fafbd18298331d9e0a26bf306563470d6
SHA256 0d14362e6e1217ded9a17878bb5c8895b9e12eecd89ab3b33e0ec7b6556ccbc2
SHA512 4edab2d4115fb5cf245e924ccdb6a57de7e8b1bc7c10b4ddc45764d19600ac503f12326c491ac4194cee1b42a551602afa57a4b18784e3fcf186f6471cf60030

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 bd89238f8f04ad5085250dfeabcd55c7
SHA1 c0fc9697ff8d8305f32cf2231e3154e8cee06d1d
SHA256 6e47e1129fb7b21f522debf5d0bd4bc3a9c74f257cc3c3de4b8687fe73bc8e16
SHA512 f8353d6e3337d3302fc58cfcb3762eba74578da3bb4a39108c1a390741db1ef2192b0f878ac2f1d606979ceceb99c007215025e35e5921c7e715da9428b4f479

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 0ae22faadece5133059e8fec820b694a
SHA1 64cefdb71d2f4b9a8f5cdc8e1fee94d7745d523c
SHA256 2388121b5fd61cb98aea44053bb2313a3110c08718f22a0a49cb676fb5979b9e
SHA512 ae88744fcf6013a5611bd6fa05b94e3687d46692d9a7dde12d7fe6cbb161bc4f4064249e4bbd3cc8c93805c8a5dce5ce1eae1e528234955d29efcea560b3457e

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 3f55753540ec974594a1f0a2b650bbeb
SHA1 88c572ae9563fabb79bf2ea1f56f6aaa4ed69194
SHA256 3f8ac26e9256473c17b1e6dbe5680da3a0a1777043eadc879d5a078a4aca80c8
SHA512 aae42cb3414a0420df7ca943ced780e8440f591f74fefb4dd8a8342efaca1a2b20f1c7199747447c24a402e9749e4e3404c5eb65d8ef442dc7658ddbba62a2f3

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 9a85b413e4049a6acffa74e7fd645b52
SHA1 509d52a1accbc874d3f52f88967bac8a679a4a99
SHA256 df0ec46fadb51a6c6bf9acaf81a4b42d11c41e4e9fd29fdaaeb1737c727c0e71
SHA512 e798660f2ffc28babe887704ff276ed142f2a81f7268f6abde89501c81ad53aa092365b39026e9828912e183d34d807b765b3d41037f5fe7f0c1b051e688434e

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 5cb9ef37dc16c7c1e1de2cd99d68e7e8
SHA1 1ac7dd1649c6982d7b45d36eda9661a3dea117c7
SHA256 5fca32bfa2d5cb5c47006d3c53b61135c99de925d840bf2ba4048204e18f465d
SHA512 0f131af1e0f64eb0c14ac7be6909644bb5e869a6f693d32cc9da5617413f46aa1f6ef7cb3f171efc53cc6551afe5fa71d0cc5d531f941b3fba06b380b9bc4cf5

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 c68d297432af3a4d18026f7ff07f3904
SHA1 b9fc54e104ad9e0f9f483fed6143c45d52c4104d
SHA256 2f04f8538e993e1813963c8bcc35f18dac8c30df3e6faf2c82d5222dce640f1a
SHA512 8e7052a425156a8a941209b57149606609fb24cf83e03edb8076b113e34283b51acd1eb242a6743dbb5a47c869d95ef4def085159909b4d711bdd7e52191b7ab

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 f6116b3e87a55db343fb39e3e45690ba
SHA1 1341d6ed143e1ff5922a8604bd87c736b235ce83
SHA256 026563f7e4b661892f806fe82e68c5a5131efd0002862731e795673323bec4de
SHA512 f3de6af6f3149dd1a3360fe6b5021124831b0a6305e92ed8f34a67f6c7fee872a338042c7389e12b14787d40970183315d0fe16863f29105279c31421f6c6f70

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 846a27b2c2c2653c184d87f5043967e2
SHA1 2bd423c9250c79c389c9f6e6f6c2ce5975e0e873
SHA256 ccd11344f331dc2ab5c5871d13c684a349cd12a048e3e4c6d02135439e45a893
SHA512 c8baddcff669ec43359868bf2ebeb62cec73505ec740c06ccda712e67b4cfc59c387d11806fb2f46a88093e0a67ae8080c82eb405895f93c0e74fa50ec64cbc9

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 91fc95d331e86d344856f5c874545d0a
SHA1 06f9a357013b2c29c320f88afbb6bfe9b7a15464
SHA256 0607814bab8f5688bb638c84f439828beaeb432f2a42747aee40e34d336ff0d0
SHA512 8bc6593a1ff31a38a340a56c595a91583323a51c4d5279be954f2e87fb921fe54132e1207ae294224d4e0395558a9bb505021d563e94ae09e511482727a9e8ff

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 676f4de1c161aa540b05d35641218b4d
SHA1 84dcb0cf16a6b24e44e63e1ba63ef92d025d9984
SHA256 08857ff5175f567792d82fb3905a10b2304195226b28c810d6e614549e9a4814
SHA512 69b4f6c13b8ec94c1e492f84f5ab247afc68ee4066d2b0e3590d0103136a1a8f0d49a30e7b6a0fa338c856644bc058989d68f053468529c2065b6ccf73956b10

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 10ca48999b4f8da2b38a164df38616d6
SHA1 664d099622921fe6fecefed1f79c7bb2c71c3143
SHA256 5e23047b798aaea099ffb526a030243b0c98d5f2a9b4c6c84ea97f463828d07a
SHA512 459a51c8518fa5d02e9f45735ca05536054f107062c1aa4b6b35091560981911f58e19f4f28f22ceb870e92b2aafbb1d17b0f7aa05654492e91fa9ac2c8a0413

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 f2f254773dcabc79e9515ff0fc117bdd
SHA1 aa71dd33d985c6002bbe2e25bbc91dc056910dd4
SHA256 acc6acd9dc9fccc032c20f5e83fc2b2d6b54fbd045287526c67252c5cdd0b3f3
SHA512 e712c91badc50997f5499eaa0959260fd1b321b30058b958c277b8d440b484f181f58cbdde54b7159e27a74bd98fa2f9451772c62930bc5232708df7932bc024

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 3d997270db4d4cfd4d7b9a99c76f0239
SHA1 0c9fd14a9bf5124ee19f65c22ce6b73577a6783c
SHA256 7f2cdf6728cfb024130012db04c377e48f0d58cb222d98b79ffd71d6c5e51c31
SHA512 74491d61851f1bb4a183c145b9a5243ecacf0dcd248a7cbd8abc3f73b106bf715f64a92293c9f52a283107605b94cf2cb54219e1122594d06d765638f4c1ddf6

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 0be18960d8915420043aa1a78e7d51e6
SHA1 5a1c6b80b62e28409643a939635ce9446ea3addb
SHA256 2c0d12d5fb7044b9420f180652c3ecf11763a76b3d81f4e33bce10053627ea0f
SHA512 24817fcd0133875cf892ffb6aa3379f6d490607d6f50a5de42c860ebee5065087fb8becb1ee43541aedc042db810b9b976f6689f3cda9d7cdf76af6603045e12

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 759c970050b4aca248768f796c7ff7af
SHA1 357d6f2a4deca29247115cafdcffaf318502b398
SHA256 c488bd2cfe7e32da87b56dd150b479a662d9d42e9713be5ac935bef1b79f43b5
SHA512 50f0b8806b0e8f68fde4802fe4eda9599f28a16955fcbfe07b8cdf5fcff05cd2589739d17a58cf9b49d2448496e5f9cc23892e4a80c6890ff0075df5119e2ca9

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 885a21e2ade0caf9f8ce268d9ce07bbd
SHA1 fa4ffbfe90b6703456238585fb1f72bc628b92fd
SHA256 7fcafa46ac595b1ccab1316ef3c4acbdabdaf6964b8c7294a59f8325b6e6ae72
SHA512 c26a84453faa1a2d389fed5dba8363cbdba34f415e1d035a5957ee07dbde31e7d71bf09a6cb7550df5e87b92dd056a2a873fd542e0d5ee8ff79883eaba341654

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 141daae933b7d3e138692efe3315c1df
SHA1 7d25b0b668a2f23ed9fa70756293c6b4836ce780
SHA256 62a02005cbae89df4b3ff145f5431507fb23b49c718eb6a439072f8266333b35
SHA512 d0d21989014adc90f28209445fb5632107208f0e22a2eef36e9ad8dd4ecd83444e91968fd17a7c1a121b6c405217e8a232ebb8ca73e931803f3ce8987207da22

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 4de5e001339e5ec74b37647073be7fd7
SHA1 9165fedc9c9867fcf4d560a9144d33455c88f4dd
SHA256 adbf60d2c48b5fed0fd00ca1a6908f41ee740c5f5f041c8adc239098ffb83a53
SHA512 9239d0c261ff53fd78842ce61503e4606aab1ec5c810fe0dfe55aa4015c606c7d69722e121deaf0fa3ab87efe84a1410a9b98b91daa6825d52b6cd92d0f87c3d

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 c786656f3de966f02989c436dd02063c
SHA1 59f7749aac72ba40ff5215f7e2405b3fe3386c89
SHA256 608e40b5cee8df60e7a3890d1a1a2e137eca3b6596af96e3b97365fc1f6d2c3c
SHA512 c278df55d1e95ec9dd6121bbfbb347a2155af3f5a5abfd8f8f25bf015a1487daf0c4b452497b41f9d44098b304692a30e97eb2203c2515b2eecf88e833673607

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 d5e4dad241934f710d7ef1c63ad9ee03
SHA1 2090d369e3f5c309d778096e4023bd5b5075ca49
SHA256 5c497ec75af327ce3b0c22e5b0bfbe73c18067113b60855db410d2adc0ea577e
SHA512 bac36748aecaae49951813d5211ca9197d35cedd1278de755439daa4a38772bb63f363f2a8eb4abbb442d45788c9cc82fbf4ce5feb4fbbfa2ab183e925de3e0f

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 b4aa87cae6acb4d63fe5febb9f9c0bc8
SHA1 9ae9a60679ee6ca6586976999783c79601c37498
SHA256 442f64659772ffa3dcdc69f52f35ac9a90339470f6ad48d29d06f88a5fa92f79
SHA512 11588607dc5d56a5ac8cc088bda44ba47b38aea196611911fb27cf2d1963596ffc04b4ba02ec44c4aa83c94fc084916ae6972673393b92890ecbd209ecd2652f

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 8b960f81da957ee4688951804024a87c
SHA1 cd44bdc58888524741ca3ff8def3f6031dd571e2
SHA256 10fc4875bfa15557ad24238519dc8e416edd822ee8f2b12283e546349d90c2dd
SHA512 138545888aac0cdc81e1d139525557bd42e1b5727747860c9c72cf453a286030dbf3a01254decd14a1ff3974cbd96ab185902cd9a9a4cb5689da54070dc781f5

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 71de5449b939d6c4d51e9cb80588be04
SHA1 779af9ae7f36ceb9fc452ba778c0329fb915a3a8
SHA256 975df0e599bd73f7668df56b9517b23851940ddcf2e49f3b22b2c761bac4d292
SHA512 60a7ec9bf795a7f20c4561b24ff2d6b1388274855050f0afb77507667d7f9f7c1d4e19426bb2f3f3371994f1292c5dc31002daf5656efca825b137ead3988109

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 39ae962b01b5f2d80a1711d3571ad73a
SHA1 04ac7e6870945bebb7ec4d0392e40776160f6ecf
SHA256 29b7966e9431eeaca63b55bb2bff33d1bb18e41368c4856d29d856020983870c
SHA512 482d29769a3e67c45fbe5613710cd2a085a4847757e7d84916ca4ca18b2cc46bb2150d98acff3b993993989cd25448c9f01d6aaf20147a0bcdfb44885926e8bf

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 199e530e7dd711c9c3b588a6120c7dca
SHA1 612209f72242f2762ef19a7a78046a2097e1a7af
SHA256 bbfb60f2a87b8cda3e69abf8731826a000f8d1101653ea6029d950621d1e3324
SHA512 e4ff5374153d6d33836fe2664a676610b551f6872e52b1bc7f4d4540b39f3975c4a90ae03b4255b80471160e88dd220e9a46cebab944e2977f6a1be12768eb4b

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 3f5befb57ee77570011bed93f1ced67d
SHA1 726f91f69913330a6dfe1d6e5ef74f8ec20ec057
SHA256 24b47fa612b7120b138016eefd197626e770da5270d2a8e49cda184f326d0c62
SHA512 ec8362572df0d3abca21ceabf7821a631b976b407045d8a33a4c6b15a08b5d0d309328a88811e5b2cc93a3f7a7b3101dab56d997dd3098fe6382f8042ed6ba1a

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 fc0e25266ad5236eff20bd1801c46641
SHA1 230cb41b54396420109142f22a237dfd31d10223
SHA256 3c914f4e6cdaa4eec196b6339b0f67eb7e47d083027959d51c1ce272b2ff75fe
SHA512 322cf40c60863c04754ee383dd8888083a3c614860d173356130593375756ccbcc9836874da6658cb4ac6eb7f1ebdf0bca07d5d95ebf9e938b9fa4f018f41921

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 f450feeb9362e0a8342679a8cce1ecf1
SHA1 7cd80217dea67665ec2e5bbc5e8dcd3a764eab52
SHA256 304235d23ef33146915e8e76f86cd3632510257f5854d44881c07520507a0024
SHA512 477a9bf09deb6f25e9cc42a8e343a2157c2156327409ca053820aa116c1e0f13b0361020ffa6697b4ff58219a4c261044f74b8f85860caf826fed1b6d3dd66c1

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 2f603a827250f2b37442a09027ffac86
SHA1 d555ea9a2b56d858c486249e136f0342b6574398
SHA256 da07b69dea451c3c9b1d7b88049242ae8d57c8829161d0953b5ca4f7300a13b3
SHA512 d47957acc1897bcb8eadbe6474a6de3e72447a868669ed5680f83f527280a1691b383f97d23c8a25e8258a480ba8de8f5b1ee59b262705ec57044e718cca72ec

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 6aa97edc5b967ba1d0a4824e9ed3380c
SHA1 158713af6a271f944585bb584bd8ccae034a424e
SHA256 74643561364a3bce0751d8d45d05e13513d10313c0e5bb12a3c16044eb128d26
SHA512 af4bc226919be98273954d5f9335a16fae983d26e37999028326926519fa9020d672ea92fdd5ae3986f434e677a1d3efce9250828c9334ec71cc4f37e097e92d

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 2aa735e394180343e0d1170306225da7
SHA1 48c52a8eb9671d66b5600917639fa863ff589f88
SHA256 bbaf53e248e41530efadf22b8ab5549b13abe0ca9b39de450d4de3fe1ed5be53
SHA512 085a13cd6bc06998dc5f3ba64b8c95b71115dd548ea141a58c8235d970d8ede36f06862145531a74272de2f2383c52c75f70f5e47a71bc55ef597e3d24985ed6

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 af9229253d8d32a971eb4696cb691c4c
SHA1 78a99a74ecd26dd0d9bdee5811eb3a5c03a3290c
SHA256 525236c99e38b5a8d68e6c954565307f09372120736c88efd9be653202b38602
SHA512 c75d58a006bfce7807b9460320d5624eadc875a20bbf927f4a526e48dfc13b36f18b9f1a48c4d9475f690618f0ce6404c5c81a6437096579a617d9b54fc043e7

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 9cd48267c63bcd8e68e28fa086d711ce
SHA1 1c3a74004e25cefd389c24a91996cc52bd562ca6
SHA256 da4371e16ef82d60fe934259db3df0be51300807ff9346c729962759bf414075
SHA512 cc5995460f51d073c5c2f3fead030e66699a7ce00ac865c13649a282e8c5a5a6c311a2c7adb735275ef0977b0be729730d2f407c9925bf32cefd3e4440a8840f

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 24250c48f2bf287db67ce88d778a6810
SHA1 328dacd9373c6ee0ad06fda5475adc6826c4b83c
SHA256 e5d86165bc79e22046787579d1ea439ba248fa8b3648e8bdd066ca6bb27458cd
SHA512 d4df430ed4e44a49ed1acbfd578e5c40a918585004a5025feb2ea14115342fd345725b4011a55783c973fccd24ecf63c552fbeaf210d90b01958036895d8e91b

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 910523421d9459dd563e41e99889f039
SHA1 55cf667ae63c9654b768bf315ca031b1f38fbd80
SHA256 7b65e5d49250d4a32ebeab6b2e5eb25e3d0f0cad437451b7ff61e20a38d14edd
SHA512 7e532a3d27b3f8b6ea8e6c480d2d283988fef3e49902d11e006843007eaa74e64847e4936f0fea0b4cfc01dbbd60f7a381622a3fd0d1e6088f4c363fb38a5137

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 bab5553ccc8f0f6febe55a9825e329f6
SHA1 c1378e5d6b4d211824113351d57a8cd678aa7833
SHA256 83f9cdaec06cb8c2f17c3fcb0d0f8958145cf3abfbd61bb97667b8d7b24e669f
SHA512 aeb264021073bf0f070bf48b431d186d9307ceb7ba3ff4ec1c5ef78d2091bb04ed9999d598e42adf21ad3d0fc5b5b94e8371eab34d697b5fe349780d1632cd8f

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 402f0438e282a11dbee613e5aaca98ab
SHA1 3045f39f6d6572a6dae2039e8710c4274ad358b7
SHA256 a8b0ee491eccd4c6f2dee05e4c8a12d8b8476d97abf0d3dcd3da3ca731521714
SHA512 2301d0d270ab7dad4fcccfd2debe5523f6fb8ab8b4773e8fd35c9ee32bf1cdacf86201027b562585bdd11e2ef99d1045d492ce46dfa54c2baa318d59a89f31d8

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 684778bbc0d3b2d9b8ee9ac0417d1cca
SHA1 c1aa38f54c32978f0f3ee0c9a6a5099222317835
SHA256 64115af322dba481a36be4f7eb35e82672e09ad0f38b334cf6376915619daa38
SHA512 4aaedfccbb3bf74381ad4392bc5ccd1541856fa6869bb87515406b767c978e9d8ac83d880eda3e443ebfa3be07f32a0913130225c781d1fdb02b8cea51138b8b

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 1bfa403741fa99f903262103ec2eddf5
SHA1 caef3ea1ab54a8fa3c0691937cff887cad088ce3
SHA256 97ec700d4ec1e2f483c063203369d262e44769be2c5b7633411baaba2cd9e374
SHA512 2f8fa051f89ad6e7798345750f4c496bea8b91d8efee2a57da36db9f96ed99b3d5a836b20bca174dca7f512641c8599235731cc11e2b8fd0d8f104f7eb14484f

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 fb9ba111e64a4742c3c2ec9ae02b4597
SHA1 f1f30c3b7c7f856329342373e8f32ac779a8b932
SHA256 7e2e7080a86fedbd06abf2260375034de13d1bcdc0265ae1263ffc8063938247
SHA512 f6b2ab90af4e0e42c00a812f102ce51b8bdbd8d1b370ccef3f28f540fa766ec49ee8f3d9ffaac053e8be573a9082def68fad8260be3c69af41974b905e0c5211

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 fee73e0fb8df39f97be03fed5e52c5c4
SHA1 8732f3706f1f2117caace66c1ac6e85c6a1b1517
SHA256 bc13e346cae6949e7255462bf91845878b572f8265b23f55a63592d93d23a3f6
SHA512 79c2bb8c930a25e172a90e896f6e46178702f3daeb385491ee33431b643fe0d5166ab3dd7c350d5e6638e3100ae20c29aa9a621a56f10e5a44e7709a6b2ec5b7

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 e470993feac4b1652db2ca7be3928aba
SHA1 4270a11c06f42829d9b7aa86e63825e90608ba94
SHA256 bb222700c68eca38b1b9193352aa363f77cf0cc6aa7286a699a6ac0f51096ec5
SHA512 7d1eb527d36771d102d972a344fa93eda196275a22a810edaf88c5885f2367f46a754591a24d5333d3d8ac286a1ace1d162c9076610827e23617512e8a46d9a9

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 e7b55f44baf2365d238693907e1f3e1e
SHA1 4132abc5f7ef1d5bb55d4056f5679cd76bb34c9a
SHA256 ed8a855e3fd8fced50cc315ef0ff183228a6e32b1cd9b86ae8f51b25139031bc
SHA512 19ca3a49edc5c06da79d7d6db760bc96c547a4a10e6b4a15a8454a503de8c75058427f7649eb3c9d1de02e35f374bd0e1dfe9f324e5ba73f1c06e74e8ca60703

C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp

MD5 4a74a5ce8b0a1d0bd052ab788a985c27
SHA1 389e16c35475dc4bb8752fe14b03294ce3adb881
SHA256 9aaca8a42b2a4b01c6b89f90bc6f32a60a6eacadd88c42e3c50c5e00c6b64823
SHA512 3de165f51e2facb2fa4eaababd440632e3bbb4fde2517b93b880b7f2faa9cd850bfc28ea7564f5c4885a324132d742d405e0e105b778d018ccb95491cce8b2f6