Malware Analysis Report

2024-09-23 05:04

Sample ID 240613-ftel1avgkc
Target 60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe
SHA256 2eebde60adff4947b3f409d82f08f3090f64572df862a20156082ce924a16e08
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2eebde60adff4947b3f409d82f08f3090f64572df862a20156082ce924a16e08

Threat Level: Likely malicious

The file 60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (1521) files with added filename extension

Renames multiple (5068) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:09

Reported

2024-06-13 05:12

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe"

Signatures

Renames multiple (5068) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\management-agent.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.exe.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Maceio.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe

"_user-40.png.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_user-40.png.exe

MD5 fc64bae369b6a5d710124595412ecd2d
SHA1 db1da84fcb32818009408dc150e92c3d9e371b60
SHA256 801298b00a118f3e917e4145a93d725353c2709a51cad59f4f2670352e7ef1f6
SHA512 e87a33ac2d65ddde136627e0f831f680b733bcdbc98b24bda44f45cab9463125fbf4e2241248084a8be38b8f18251c8229ccd7d3cc10ffda1c8dc4547f3654ea

\Windows\SysWOW64\Zombie.exe

MD5 7cc4fd78b45cc4b332811cea2578e22d
SHA1 ba1e3e3cd12fb0249639da6e8b76ebc8c061ceff
SHA256 0711d167a698140ac5db000a54da5b3608a22fad619ebbb91957a1c811ae34ec
SHA512 b363192674167199d295d32defe142312a748580d49acf217eb8b58cfa39b75de0eff500f4b8699a1bbf76cc47ce729ff1152887f9a0484710b0c2dcff7da20e

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

MD5 43981e6835cf0225c0e907723d2f3f77
SHA1 520ad7c8663c285ce8287587abb7c1baa9c7f499
SHA256 8ac0ef9d44cfd607affc6d6f8aef8a1065f4228ec6986359f1a9a67f6ca119fc
SHA512 8fe40c2de2d2d4dc5390dee7b99eb6a2748b3efe0fbd7eece80ca3034bc0619d4d338f7296d94a6af26f11023ac3da71ccb8a6a78300fcd4151decd99edde81a

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp

MD5 5d0225acaab5b18bf693fe6cb5c4dd88
SHA1 19dba6446d845d3bb9878b8db1af926716e4006a
SHA256 1629443545cd987c6edfbfe917652ebde615156364a8dc35c58f1def2b9e91ec
SHA512 6249c795214c60d151636a76316c690b147ca3c160f7ad531c4d731ca8c2f56131a6eec5b787efd3ea4ed9ab562af0e02f7f88372e46c487d3d2cfe35c050dd0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 d16147d3983ee90f499d17992e70690b
SHA1 084c575b74492928c7a8056e1caf8d7cfe5bf765
SHA256 331c1ad71eba098c29d6b43dcce655837a10da7eb9a2d106b28294456e764fad
SHA512 9c0c643ee88d1d8159e25a3f0226a6064bf5a626af44c74c6a28b4f2f1a9f4645a9aab194e341da2ebbe25ddea07da6182b02e3c288ff6d38985fdac43bd6230

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 8e18b9bcb830a38031663671b8bce48a
SHA1 670736d19d402240b413943099b69a8f7997392c
SHA256 1ea55b50b5f3991c67e3b5d5b1fdee08a718cfc3c38a4afdb4431fa19cbc5f5a
SHA512 d9a674570e29a5f5c3d34396e72dffe398e77f1db6758b6e274a4dd57348a1d9cbfd27a9bf86b5e324986f974ec60b7ebe6f35caf5e879fa5b64876eaefe7ca1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 6361c9634d5d26d9f70538f01a31f368
SHA1 f36e06edbefc2e52eabf59fd7d1b7807e4514099
SHA256 7a7ad56b74525f541e3c0ef9f61628b8e1b75132607bc5d74d70d50ed5c1a4ef
SHA512 3d54201e10b62a6f46fffa5c245b922d7b259eac5eeddddb779c17cb65fc979a48c4a8704b64605cdedfe02d20350ceebf5623f5d2440baea38e4eb5f3613004

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 70ba81259b705ea637720fc9ff68b199
SHA1 2693aacc26dcc49114f0a59f716b423b55d18f6b
SHA256 51a1f33d5809a74ae956068b941fc71d0605f36589a940ace55661bc893cd32b
SHA512 6c91c4a4f68de9cbdb6ce2d4e3ca4a7c5874c6e2351f13ff7aa4593d65923c52f2658966ba674c5ee7da4a504631052e1856231251beca9bd4625dcda780f343

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 f7f9355152a17f216df1f4c6d707b9a7
SHA1 2019cf67b142f3374164086f268e00d5eac265f2
SHA256 8806402389d9deb1218f8a40358698170dd4a431ab30fa032d60ecd7d3a4d48f
SHA512 408a07ff694faca723a81dcafc7b3080fb9cc64881fbe39f027dd48767c46134db047e8307f7e75be6a81bfd8bdb6243e99890fe128c93123920aea988e46774

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 640311958b44e50e71819ba6f9c87367
SHA1 865164444b11548204a9d4f641a89d67179c28ba
SHA256 634842acb8096455ceafb7e35c33ffd10609661b39379750d4322e2c3e10eb7b
SHA512 2cdc206ec10f3367d92d2eb228148890c56cc16445bcfc03a2bf79e2cf0999375eb654f60ffe6ab9afae763c4f63b8809b1af5a1ad827a07875a9c3aa03da2ac

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 58aa75c7f76f4a241b8878dafd500315
SHA1 a644205124844b565edd04c432253f032c76691a
SHA256 c78d43b36c75fe254392368f8b3813b07457fa48a6a9ba4c2b65f068c022be44
SHA512 7566bcd2a06230df50d8ebb1de01051f3ec7221c0c8e01b1b4de0b6f58b862bd7f41e0f31f5102800056d411b0e148b87560df18ad908cd217c6d90c3e3c0039

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 c6fe60646af9f9c969cc6de6b97906f1
SHA1 a57026c7e7932d55b66e0440386ea7cd0b7f5e82
SHA256 645ab2a37f06f8941861ed276aab08288dea4a2b708b1ca35cf76d1ee99af61a
SHA512 907bf1917dc9acb5bf891e552b13133fc7eef7e013de47a577becedfdd8917fb41969edde3532fadd6b3cae970d0b75b41015de515c065f1eed7a6ec3c940b81

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 7bbca8e583056f7c814aff1de0d0e5d2
SHA1 24a8922fe4bb3ac0d8d6fcbd5b1ebc210527f2b2
SHA256 5eefd79fdc2e870c98f044d6f6a64484d955ad90884bb493d5e3525096a9c019
SHA512 edb2aa91d842e3a87f12fa74998141b0fb7691228850a58857c5683e87041da24333a23257cb2b9438fd7e12be2c41e92ff8674c8d53cb0ec597bffbd8e9a0c5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 6bf2cf10a7586000648a1243cf6cd68c
SHA1 2affc120ee1feed14606d3cb7df6ad8d92fd77a4
SHA256 54c5e4a9377486fb62164503c9133859be4825947a97350383a54c1ee3090b5c
SHA512 9b9cc57760a0912877f810ebb21d8dfa40cba1c538b993769f48dc7efa63c9e19d4aef9a0a04f871da2f2cbf2eb9b807e6870dd3d1ffa71e9f11c492413d1cd3

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 4aa654595814b9622c26d5a14383d4a5
SHA1 58942212c46ae1d8db5950e7557520bceaa9b5c0
SHA256 c17b8f020a4673a511e29fef0b9a96f7e16f679df697eef8716dbd1d37c1cadb
SHA512 44f69331d060daab0c475c922a4da5f96681d2da03722dd4d01b4167f223780a62db8843fdfa14f1b8cae4b8ff1e08f5034d37437102f87f476fc2a71f1c2652

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 6122541c5b70fef3152da853001c6bf3
SHA1 0e0ee9db306f47d63798f16be2dab57bc893e55f
SHA256 a8ada4f1d916dc797e82de13055aea9419d67d3e4853c7bb64bddfbc43d2f116
SHA512 a47a748615bbe9dd3604d16b6b3423464cbac339e44fd8a59371ea008cb757a952b77399e6051b95a4362f75a501149b21af36aa29924629132a228576afdb1d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 958ec48fe8ff13c59e670808ade920fe
SHA1 177ff386632f69636474e4401c7f03434a881d0c
SHA256 2f703132628958ce5b1e5313d39e1dbf14e258b74af6caf1fb35243ac3fb70ad
SHA512 d7323a5612b3d96763156b72c98a4788f9f251d865ad839ca156edf5fbace96e375f9c874d3bd6891af3c02cae89a34bf0e4eed33bf3a120f7ebd2b610ef7915

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 065c3f8b5bd8b8c22da7c8ff046db0c5
SHA1 d666daa146d8bd4228ba252b587f336665a0bb78
SHA256 968f646db087be6b70631966251235e5c16fabe911fdfc3c7175da5c60fb2348
SHA512 26252fee83b308c11c0be03416a73eee43e7e349faba1bdc4c4289181ed6faccbef6210e8a33a8ce579905a7c4d8e15f03757d4db2de0783744d062d5ad639b2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 65039565ff5e10ddb7c272849e1ad677
SHA1 6c4ab5fc87cb18b5bfca3c4fef7989907e2ef242
SHA256 e4be534f53d76e1b2c8462bba1df40ffed2a31209a69320b0183ea9833f8fd52
SHA512 2c2773fda6c8675d9b93186fe3b92218e7bb5fafbdc5a9ec009ba46591a87eb4eccb1878d646088ec85b21a7b86766bde3979af62aee639defd1301884710163

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 1a2895da7118583f7aac62f94d54a1a8
SHA1 aa652c215dd3b679d922a17484e5d09b120297aa
SHA256 d9208ee3a11a8d36d92f9f925ff74e9aef1499ab4b3450aeef4cea6f2547bbeb
SHA512 6510a284f1e51c667b8f0e421d18a1fe967b393c5fb401370fd187a672ec49c1f37e450681ce57d8b302d4efeb53b2add030f9b3795704a06369e1316c1b6673

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 7866076a41b702211b301bdec28dccee
SHA1 9d83fe3f65b773d87c53aaf8399eb639beed2a8d
SHA256 94350e408e640c929eb1baa4ec5a90a09bebe3eb8cacc7699b1e57213587008a
SHA512 24f132472e99564490d7c59239420a8f56a8cde2e49f3bd4f7450aafc4536b45f1cd945bef1ae454a91be359e09ad0332e4f2cb14328019a147d2b5ed76db0c8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 e6e5ce2e372ebb219e4e53d6edc5e883
SHA1 124116c52f7fb39f73ef07280bc6c4b508dcf08d
SHA256 cf5ebe367d3fe776699fe860687ed158d9c06675ae95f503e86e7b12e28e65c8
SHA512 5bdae1a948b5b25afc07a03f4471c95263707f88e10f89212b0172df96a32a6fafd80fceee3feb2673da8e7e975bb2d2f4efbe5d608827f9990ff88496f7b0b2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 c56d6dceb83083456fff04c4f5ef99df
SHA1 6f7cdd1ae9da9909d88837d0bf0281dd89f22260
SHA256 09e29f2ad12f9c871da36614acc56342abf245eef27173daf7f6f683e04f8fe4
SHA512 e290e7e12073f373cd25beb4710070027fc54fe61f1239cb12c70fe6d6146f0df46c156f447ec386ce0a42c6facd67a257dc1fe319aa188d7a6c3c70d0f9fabc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 65017d6034403ce6002d9b7b9e07cd25
SHA1 66fbcd5c451bb9cb528aef0066c71fcba34a3234
SHA256 7c19b92934dc10c5a827bf662d7adb5839ffcdc63bd0d319e5deb575aad9e168
SHA512 9e571f89b170fe73e6c5c3c4024c1305c69cdc3faddaa65b9671db9a9783110f98802188b97f2032d39c0d48140b6562aaa853f6cad44486ae6ad5ec38d58646

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 2daa3bf3110d255689854e98e159d2ca
SHA1 5b00ea462c836e74a0bdf90da2960c0e9b284910
SHA256 d2b4ea2cb9244a727524c860be073e306118cf08ef11a725972ebb58fd6d6f2b
SHA512 51f8cb2fc6b9887873b15f97a18c08e7883a59d8864cc32dd1426e94f55903f57a5ffecae9ed0d99429d432d2f550b4cee453c790485f43bb4aaf938ac4abc0a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 3c10f342773a7d4c159c8cbc6bf69c5c
SHA1 9fc36fb2c0d1fb48baa9dd320cc576226eae8c28
SHA256 29d440edd9d5530e17cace9d215e602b84eb56fae45569781d6fbfe20777e96b
SHA512 9b0be58bea619122fffc7fefa9f24d401262cdf67ee6ecf6daa07d171656da89703a44b943cb0c7057d946cc09abf6afea803b7210e463fa5f1f1ba842e66d44

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 e4d270a0e8ec943202d1f58dae400e6b
SHA1 7473ba38bb4b06aca88f5168c1c4ddc9437c5f03
SHA256 7aa7b17944d6d66743e170168914be2bc1328fa0bba08d0645253dc390615cf6
SHA512 b7ae4c1b778b2f4e2952d8dafa99a4f1318d4a28b39e9ccbf0654a3615f23f27c1cdddfd15c920b77066d0dbb19334e5109394e4ce636ae29dcb6a82ed5dc76b

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 e19e116cc95f0eb1bb841e22b5b348b1
SHA1 9b19f2eb6afdb0db17727486c212e3c344996249
SHA256 39b0684897a171f0f7f6488ca369b00a9a776491c198aca3859838965d2264d6
SHA512 0ceab3bf61cb1d9c17386558e78871a1b749185d4e8a9b8e9910d27fb5a4cc88222a82de679ffef3024c822e36e5f2a1d86e63ad4f2f9aa6b3d2ebb1c6768580

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

MD5 899b7ba2f52a16bcd89507b4740ca91b
SHA1 1038570985c0049a38b3f32f4dbaa7095b1410ea
SHA256 f6274c90819951c5e518ab4e40b9abb3df36136adc3ca67f7e85f3d0c18f43d2
SHA512 377ad8264778a27f5fcfda77fc22f253557723dbbb694b83eb4a98f72d46a70e431f0ce4aa5e6abd0386dd17b778bf36b1e1f89afdceb6eb0d62e6afffaefe68

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 958c3739ba7e27504562c981d15385af
SHA1 fed347819d7eaa1a2854be9c9015c2ac9ddf7f9a
SHA256 91a276b9dffdfe8262bcf20d2555ae2aa582c1bcce04f40afa61739cb8820f7d
SHA512 00eaf29b7b48e9837e090bbac8cec7dc5e090cc1d13af238d88a4a70d45b9119a814a8e37d997b50050196c018363854740fc7801191d016dcfb76d931136d51

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 3f41a8457d3ea8db5a42504d2ef04733
SHA1 b276e50ac9878a2ecc1029e7d037ea420a752b3f
SHA256 7f6ae57faaaa2832540e96c219e73aff04806a75b7d97f7025e7876901598b3d
SHA512 672ac351a0620443b4838cefa0cfdca50537f5b621190152a3a4ef59ce4512cf28095af52d3c519efd801b9e764de12d1258932ef0cd5fbd186840a663683fe1

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 cfc747dc7a5e5f6c1f07906c063b8bf4
SHA1 bd8059146f02fd92d60851e46b69c60c86d5a199
SHA256 84981fec19dbee16e3f240264eec0622ec13f70547f9c9bc6c89df91b67a7334
SHA512 2adade9469dcd619ffa060f5e77dbd28b9a959187f6f13d6a88548c8183ed8d8203023747900b745af4f0b91064ac1ed5b5a4f182e5c411efc7b8175a2878d1d

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 66ff95893f3f4433ceec5b4976f89905
SHA1 a720566344fc735541a89451ce8e2926b5432a44
SHA256 3921301f2a4e5b4364354a9a474d0270f9abfb910e85813933fc4529a2167d4a
SHA512 1147589506e9be0aa44fa1b02f65f73c0ffed07971f26504e76f8fbe89aaf0119c52004bef32e1a5788737edd0f473ca58967a1347d820e3a02bd8281ef3045e

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 267e08e769e38e48dcc984b96463c82f
SHA1 a55da1c196b31e9e296123aef254ffbfc1650392
SHA256 5ed92cf77cacf3e06f73b67d1897a3928fe886781b4be6ae532ef3956bda4c70
SHA512 c17460d4f093673b376e3c6de52288d6a10acc7db2ec1114c65a133302da17b5ac66d90922b3098bdf33311e94422db71eea817a62b5580250f0a07fd8acda8f

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 2aa566131c91f38ab56222269c26195e
SHA1 2edcc8645b5e95f14915c73cef8743345b9929c7
SHA256 8cae9d313c43436def465ac37e13a67639e8b7e29bdceb235abac06517e7a9b6
SHA512 604527d23ca206af14be755624826c4fd7494b1d4c5af996b243f0fd610b3d10e6cc153bcebc7511cf322f3fbce8f38ca13f4f993b061781f6c32b8d082c5072

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 9475ad8eac9414af20e026d330c36743
SHA1 3cf34c6d3b03303a1eb80a42861b1f0743469d1e
SHA256 298597925490083bf1be60bc9a03c34e0dfbf85bd9ed897efa328fb0f2ea9a0e
SHA512 c6121281b720b44f8b9e680d810fb4fd6e25579fc891009bcfc12d6abda05146beab6958a6c6f7f695bfd58aed7f64510627d6d4bf9d7ca4b890859e00056d3a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 9cacdbb515190cc4ff5610dab5efd72a
SHA1 455194821a1926db58fd093a2797d96ae6cbfd3a
SHA256 f123f4ef35c181f50986d96b4ed7c61a6e663d30aaad2d2e63f2dc3291ce4386
SHA512 d46b90e7d51eeaa450ed3d7e09d041fdf301ac043128010753c512d4657a70dcc17f1267cb8d86d0cb6430d3d5b427b5e214f0ca393c67f8266444fe44fb23fa

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 4ec5525bcfcf9ae92a5077e6400f85ca
SHA1 f172fe6667e635276c0ff05c53440ac1b471dd59
SHA256 4e6a0b78ae21f1615c1dae0519c1567e6a62a54e4cc2ad91c05d42153e62ef50
SHA512 c1f03f8fcd65118c9138476d3bd1ac936adb5936cb42e753711816679a003fd547974483f47b2b9a11b198e14b16cf006811d2e0a9b7057f1d34644afb726341

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 7657965618a5fca193a04850a7a7a3e1
SHA1 935d22c5db69b01f9d2ddf05573881e7ba73d518
SHA256 b4b9f6fba23eacea4731fe546a921b2776770a1c5c1559aa16ce67b81e9c7448
SHA512 856ca11450c4ca38b0a0b048e90a62e66b079c2e73620d4ed95192845da21dd59c167c0c62dfec2324cb19e8643f2bae8099762fb801bdb6ea25016d4127dd0a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 5dd49fd6cf1f21b7e382bc3fec001257
SHA1 1a410993123c65615402d612baf024765f15e77c
SHA256 979729549edb9ce7dc755fc4378767127c38731e349114d41bf213f5dbe02975
SHA512 9500964228e25b47aba79d89b7427de4be60e7e88a1c4e581e79c447af91de58e9e0f1b78f20349454a236728fff8513355c80991894e27b2af87db6c1dfa588

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 f2586dfec8f6d92677a3e4f094b260c6
SHA1 1a4c7b6478c28718264a3837ad2a71f605e9453c
SHA256 3352bb91919236ddceb2121d9dbfb56ccd5b93dabc896c208721517f0bf03f0f
SHA512 bbfc2e8305e2265723303487af9744192db5076b3da0133983c1fee9194556455a9b5184a1e81cc5ef51b19ca1ae403f6d2f01830105520ad4b1037b5dc830e8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 359d2d96f97429109192a244324ae0ac
SHA1 75ff955261e194f4c7ed00366833d2a7b601e8fb
SHA256 e7ff68c778e6e7afb7d776ce31278350a8d55898cf298464f325f3842d3ff84e
SHA512 3f87877556845e844fd0dd656d16328591815efb4e97ed6bcff3ad0a84b70447099fae9a104296f11f8e4d5742ac0ffc64c58b5aac453bb2193b52afe37cfb79

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 2cb4815051b2124cb30d52a35c61ccee
SHA1 890c438da50853db2d3243cf2c0275d5611b7b09
SHA256 3cca71b9b9fb6176cb93c4c15af1c0924b2e24abeac55b58047c142a6057dc59
SHA512 663b0d64adff963c23e4a3f765d4d4a5b340d338566ea9eef04390d1d6dadad67bfdbc8ba06469a4243d0beb3f10b75f403b529d43693c4a91aabde4c264a5cc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 410ca88db2efe0657692dff1a3b633e2
SHA1 a87f397527f243d8a1ad6055660b4d8eca05716e
SHA256 6556bd04ff0bd652c33bf6feb9c34842272c122a98bb53c2e5dbc147e9cf6141
SHA512 a8cd3c735e956a4e847dd50a1ac511105f2a54639e552992d56459f425ab79aca2985cb144a1dbff504ee1d57080364b47febb5a6365216ef8b00887871bce29

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 56b5fe2e6064529c72cf6d1b0947aa9c
SHA1 cb4a5662373593d1914ded50454c6ad5748053e9
SHA256 07bb0d85f1c50d29afb9d0a917e901261f805371a1674a20c59ced2e55ab07cd
SHA512 78d1e5ddf3e86cc8fb649edd0f6949d7dafc5bd05924b089fa7e52154bdccb443451d9d346a014d9ac730b54de4aa36b25384d4836413005e09013a59347a26b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 ad4730140ed941da9f3db95b834a38ca
SHA1 2096ab4b28d0439499fcc37708d094995fe24e6f
SHA256 5aca47bfc9287c4d2ed010d0cc0df06cdb01d9037d1d2bb3c542345bf45e40da
SHA512 8aab78ec84b853e51c3aae8a6a5e3382f01d684fc08d259feaee9aa44e420cc11328a0cf2fce651e4975a1d3667d48946a4efef7615636157f966ed89f035465

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 ae95e2abb4144f9ec07ec9c9eaf24fe1
SHA1 e648ff9116928de2db6f4eb06d81f737ae9a5249
SHA256 423f9bb329e8a4163cbd493ce834a28bea259d3c236ed472796f05545130408c
SHA512 06bfd3defa1ec1a23e2320a421086e767be32785b7516d10079fa987e2a85db8c261961ef0b5b08b045693dc55b8e800606da724d174d00e1685fcb5c6ad7087

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 6cd03f971ed8bb35dc3e7dc4fd84b747
SHA1 b7c500c24d8c101c6a5954aeb980000056c4a795
SHA256 e8f124b4a3b86e99e20f4ef6fb299c7afa1605507eec3197a8934daf95d8f2c2
SHA512 b6e9dffae8e50a9fd436e3a82bff342d31a1a9248942a353419216f9554ba1f7189fdcb67d623f020c280ff5fd5911d9d619c1983fc2fb39109da2d8f9c198c7

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 72e6bc1bf0b5cae9cd1e9bb62dacd2c1
SHA1 6873b62c484eb04bbe52a27630d586c84a550267
SHA256 4febaba73ca1a9173fe846d5bd7ca91de25db51d48c9acbcea1ac64e6dca0381
SHA512 82e2e774b0935179e413848106bedacfd7a84149b531e8ecc689a8f5a52c67175ff3d15526c0357537ddd249b1c46943aac7dc970908a7b6211067611d3e8473

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 9a532419810c3fabcc0c1d9174990ef7
SHA1 3d13b97a0f664bbdad89b9318a94d1a43fd4ab4e
SHA256 bc7275c470c2653dfd39620e3616b280fceee929f56fc90a9e9a526ddbe6d426
SHA512 3e78922cde43d0bf7b49c0d1dd56ae2301da52ee089e02f7eea9695c6bfad745b9a7174b09b8429ee748948ffb0c249c92853fca7081d7d8ffb1c2770fbfa8e0

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 d6cfacf731661f4df1725ae2777c38d3
SHA1 0be4125224ef10f3fabde66336712b5d7146b511
SHA256 fdef2ee1830dc395dc521122d8196fb01b475189c543e2a6f99b44979331d4bf
SHA512 e3f599091154ed029ad01d0f4061bdef2a44c8ab0b54b80984e0822f70dba02ed9b5e6c4f2674012e6895145e0055e16b8ca6a434de07b3b90a11db349794ad2

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 0129bc56b0f2a83644d1ec70c05c8c2d
SHA1 4945ec0dadad93fa2dc62a1bc3427d3f99c583b4
SHA256 637af25be715736476f24fdc83678770f8a956e64951700b1ea6e1542f2d1e8d
SHA512 1a50d93429c172f979a32df852a96dad78e9f2fcf38ff303b5f33ca58a08c5b5209b5080031f14116e3f6eb761bf09f2de1e035b74c8a8b04ad9f6d485cab5df

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 59751f53045541ecd24da7c0fb17f8de
SHA1 4f87ec0bcca79f16d66e566a3f84c880d819fe95
SHA256 f1150c5b1f4682e0af16dea309a5ec84209abb3e360953a6f485518e226133e7
SHA512 1793d6dcd88a7dc4b3176313cffcdb9e26ca142a4c6bb4a27e5bf29aaf151449eb8ee9336da4dff7318e75818f52460da2147ef776a657ea92e8f3091598c6a4

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.tmp

MD5 819c1799e9220beec04554d5f83332cc
SHA1 2a3d047590cb684454a495585ac3e73503a4299c
SHA256 c735e4bf7a43e4b8d1674c26ee0fd3c9dd16e7be10d778c94199f351bc5dee12
SHA512 cb58d1d583e8d165265dd48f7adedf5e0886452f6a1a1c010bd5202c9878e20637da0a3c7a682305be7dabf66777e9f880184ab398c858e9e008805cf88c250c

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp

MD5 f5cb00a334b9b7e05a17cdf4febaad43
SHA1 bb547ceb05eb76d6aea937f86a1376fcf1b24001
SHA256 73e699b2c5cdb2ecba0f7159bf220efbed617c2453c19822ee90f5efa0749d7d
SHA512 8c72556134500decfee186f7ab015ed95b12a026f5feea67c0710f03acabf9f24418a8f1130d51d953d48c66741e8152776b805bbee3726e4079152e55b0f872

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:09

Reported

2024-06-13 05:12

Platform

win10v2004-20240226-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe"

Signatures

Renames multiple (1521) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Pipes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.DataAnnotations.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Design.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebHeaderCollection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.Design.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Principal.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.NonGeneric.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60ea48f1b56b1b78e2872fabb37124a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe

"_user-40.png.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2196 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 7cc4fd78b45cc4b332811cea2578e22d
SHA1 ba1e3e3cd12fb0249639da6e8b76ebc8c061ceff
SHA256 0711d167a698140ac5db000a54da5b3608a22fad619ebbb91957a1c811ae34ec
SHA512 b363192674167199d295d32defe142312a748580d49acf217eb8b58cfa39b75de0eff500f4b8699a1bbf76cc47ce729ff1152887f9a0484710b0c2dcff7da20e

C:\Users\Admin\AppData\Local\Temp\_user-40.png.exe

MD5 fc64bae369b6a5d710124595412ecd2d
SHA1 db1da84fcb32818009408dc150e92c3d9e371b60
SHA256 801298b00a118f3e917e4145a93d725353c2709a51cad59f4f2670352e7ef1f6
SHA512 e87a33ac2d65ddde136627e0f831f680b733bcdbc98b24bda44f45cab9463125fbf4e2241248084a8be38b8f18251c8229ccd7d3cc10ffda1c8dc4547f3654ea

C:\DumpStack.log.tmp.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\libsmartscreen.dll.tmp

MD5 fdfebf85afc7690191219b464bebbfd8
SHA1 9ee430b0af0a76ecd0253ca54e0d59f150b1c2df
SHA256 e0290bcb39ba5227de14bbeeb17cde639aa9f8f517d0ffe6aec590f6fc61476d
SHA512 8fea4d297ffc3074da1f5d41a15a992a996aa104578590176efc243302e4823fc44fbf97260cbb43be4d10be6a9c4bfe35b029cecf5e222026a67d4cb8a3e9b2

C:\odt\config.xml.exe

MD5 baa8c45dace83a05b2fd7d8fb547653e
SHA1 5c85968f77df21e36740204897fce4fe4d9f17b7
SHA256 a2143ccc774f08e8a0bb40f1c870c967e85176f12570257ebf3aa278bef0ffbb
SHA512 2f20ce719e690bd12eddab492b7964ffce733acf985ab3bd84b87d9e8f01e82b9700cc7abe597f085e41bdf4ed71491820c040f38bdc041e11d2a91bf9fdafba

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 829c1d1e48d611a272296ae7a61b221e
SHA1 07c7e705949e438273ffcaac52eb8e3ca74410cb
SHA256 8e4986564470c4c1c27c9fdddd9769ae8488f4cba61ba480aabbff73e1447403
SHA512 b5157ad5d33d55cca4e8c617b826cc7c5fecc003d5d780b483a277ee1643b7cfe03009e0e759f859164decfd3b10f22de73386e195ab29ee16176ed61483a4f9

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 f175d311486971b5cd67f9d37e24cf2d
SHA1 95971f5ab06e2524b25e68e9672b3408395101e2
SHA256 e583ac5cc783501ff43bf4db36e17a72a031ad76373ed1785f42113476e0f07c
SHA512 10d77784a3931bedce24a4a14258b961444e47515f87f0bed028ab71c58b7319495ea5d4b3645102aa5942b4c6a715fa6911e317dd933079f789af5cec3fe502

C:\Program Files\7-Zip\7z.dll.tmp

MD5 63fff5570e6aa4501365ebfa3b9b7a53
SHA1 ec76c126acb640589203daadbece01cd53e95571
SHA256 975f5ab1e065f7b6b99479c52fac3eae65b2605a2ab407219e1560a4edb5fc27
SHA512 6aea7dd915f6052c5f2426c2b8713ed4f39315e18efc5fc0256c1865ba9ac02f45d1a6630093fa25c2275b8bd2d7685870a41b033bc87dad2682148c4343588c

C:\Program Files\7-Zip\7z.exe.tmp

MD5 7cfcf93064cd44458af1a222da754ddc
SHA1 f2af8bd5997069dcef1e2f3d3276876f20125297
SHA256 d7aa5b5a2a4e72fdc436ae91294d1ff9fa57704510c452a79affdd6531555bfb
SHA512 0b2f578c7c901b1b1b314f850fe582c3be360793cb1de6939c718ca3e38c4d81c3e8c6f7d797f8e518d05a5f0146aaeb715e09d0c71c281c1a7ff74149700fc4

C:\Program Files\7-Zip\7z.exe.tmp

MD5 128003dd87fe1370253d2458072122c5
SHA1 d0a79a2f39f9496381b0c46e1696ead413ab77e5
SHA256 09c487b5a23221ae140cfc3082a5967d3feb707ab397d43a2f9f3182e5246465
SHA512 de2b55da102662229215936285604fcfbf3eeb37bd73ebe9083bc6e3526ef1f945e2c3c151fb52156685975d86593e4846986088ba05e487444aec7bc8d04223

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 066d4115709daabd5ba823a13dc7f212
SHA1 a49192ea766518cd8b60463e90511c496c0a9933
SHA256 a5daf2469eb60b7b3e62daea4616f9a1ccf359d5a6abb42663368e1e22a14449
SHA512 f56ef727da715ec0cca1cef225637eab43730afdb562d46054b156e3b426f8c063e130bc22f7a704c6c657e9aa1b7f9bcb561a1ccc037e1584f742d0d7f81d42

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 ba0b5f792e08402df2df8bbafbd96a56
SHA1 f7286ee195f7d7b470054f9198562161e26e5366
SHA256 88daea1a830e43ff8ed6bdb31d51413ada95a4788d74b3f926365f5205f51630
SHA512 047a12460bc171d6f5969f4211a5bd160205a21ca97040e5b6eacb5fa22c80ba213fbf6cde2d7da2957721edd581cbcbde725daaeba3090ce4d957cc3a4a3016

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 b5bd6cb32aac295814c83c0e38f23a2f
SHA1 971ece9ae627a64deefb2235085ee0304df68eb2
SHA256 c5111d4d517e7695701414ac73ce310338b0e6330b4651efc260bea3a31dc2f7
SHA512 aa1e15f552465a9afeeacfeff6722df2aebd459a7568d00ccdcc72d0d540ef5bcab465a14adc401042b3494456854b4f9aa870f269329dc4bab7cf10b5cdc857

C:\Program Files\7-Zip\descript.ion.tmp

MD5 b996842274f0265602064e5317dca810
SHA1 90749a4ba4aac664d4642fe5a1f76516e1bace85
SHA256 563be00ed5846e7ec87b8cb7410698dcdc5968dfb777562ebaa9f6b705c13677
SHA512 cb639c835ece490033fafd0c8aa5795e9f1595e0c854f8800beb36df6a7b168bccda40a01dd6ffee885bb5b3785cbfdfdfdde16baa317699198d146c90f5a20e

C:\Program Files\7-Zip\History.txt.tmp

MD5 462f2a20d18955e03e5a78a961a4b9b2
SHA1 c604435af6c1835b4c53903e0a47215c62a56501
SHA256 f01a917f1f51b73ebd6773088b5d0d00b0e468aacd1c09943e8f1fd7c95e4bdf
SHA512 7f4c74ed2f8dd11e54a870dddb849da3cb3076b80d931b475771dda92b5951f09c33bb4b2aa557f85a16b5fb620d89f7fa34483c535976e4b91b1ad969514e23

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 ad4730140ed941da9f3db95b834a38ca
SHA1 2096ab4b28d0439499fcc37708d094995fe24e6f
SHA256 5aca47bfc9287c4d2ed010d0cc0df06cdb01d9037d1d2bb3c542345bf45e40da
SHA512 8aab78ec84b853e51c3aae8a6a5e3382f01d684fc08d259feaee9aa44e420cc11328a0cf2fce651e4975a1d3667d48946a4efef7615636157f966ed89f035465

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 6fe1493e0ce5d86cab22a561d4aab038
SHA1 b17eddc7af2f91f2b486fd2883163a9750eae064
SHA256 0eac9f103b79cc517728788cb07cec825f79634987237a433ae34cfd0df36c0f
SHA512 71aecccb6f7d5b2b11d101cab59299b55fba98b5df6382ed3c1ef8c262904234b0f2edffd3b6e9b1b20a4569fd86a13d9862c1cbc19e92c71e6d60271cd2bddd

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 7c022c6f46c633a3d0247ff3fe80619d
SHA1 df886649de9d5b5c524d4d2cd28e73aa09320829
SHA256 f0f5627c367e60cf32bc1c227eade542b1a21f4cf298aa7172e140762f24fb63
SHA512 e4ed29b7e2646dea05ebd5c42d702b00117cac238b3d635959c731f5267af6c5d197b5ecb9d83f9417ec5c323e33cb1cdfd1cc860a13e38b39cfabf3008da5f2

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 33813e3e659d164410a24aeef73940e7
SHA1 63549b6718b38feb8bcf2932da6184c7f0da74f9
SHA256 ed2e5bd5c52ae80124adc704cadfaf524259533f96e5e5c10e4526cf436e27ef
SHA512 e883a1ea6afb7de266fc980edf138a68ae16235beb9b53db2fe99b69013a016950cd9be1562e32674e7c214bc214e95d048407cfc1ed0120e1b1f8c6eb83388a

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 5e5314bf22fb85e32cb19a7e9f1193c6
SHA1 456cfba15f8b3d1426cedc1cb11ef2111f654d0b
SHA256 d6c05d286942331a709433a506d87fe651b7771b93c02d47d457fb66ed704072
SHA512 7c35add94cf876c7140519aacf74689eb0fd32f488cb532a8fa2db4ae8976e9bf981a5519ec5f56209ea9053953b105941f5d444ae818c7ebc197e30b83a22d6

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 24b6d36bdc381898414530db861b7505
SHA1 8feec5cff89079bbe2eefe48f8c65b6732f8f0b8
SHA256 5995dc9fd116c9fdfd171f97f14d94529a42aba2c4e7f1d1a8cdb0b0eb9a4aff
SHA512 fe20f68202d4c87d070bedd79b335c77b3af2a6549db6dcca5142df02ff651eed3ddae9abb81514da60fcca9a52b718700055cf8aedb3e9bc6eda00b81c55df8

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 eb31cc70435978418990b05dd7185ded
SHA1 9c1673a3887a71394585d0572b79c5f02c9d97c0
SHA256 b53ffa1ce70c1e44b32741285a383e3bbf8a4c3855c9a95c65701702c22232c4
SHA512 1b72891c1fa9211d3ac05dcae73adbbcc0260e6f6848d4838b6b0f165ac3fb50f9d43ff837459f6873929a20363d25a92c9315fda117babd83fd3974e1b4de0e

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 9762a05e0d8fcf1ccd6b2bb7f8f45bfc
SHA1 a74e0b4f269f70373d6324ed03e5013af39420f7
SHA256 df452b8711efb477cf4861c63bb2a9edf03c0f7cc802a38916f5d50e5e323e12
SHA512 90f36538a741d5ee93776968e1faab59a0825cd54de28b4a1ddae4394b05b53a93982c3ce6057f044d6585f00171d4c563268d6906b2254252c402f2843c2f6d

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 bf6ec89bec1a9835aedd7acf318ae160
SHA1 f43379fec87c72cd21b1a64bf6d0e918821e5d64
SHA256 a07b4c259fb78878be7cf5a10e05e999e02e173b6700ecac9cad1795610f2829
SHA512 9d191f86a0f55a1256d38d10d4b910052fe6b06b84969a64f0b24d7c917dcb43220be5af09db55fbfc128d320bed94d0da55448ce1e0622c6f94ebab5c7a69e7

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 f07545ae75916e5611ecabe3080c9a75
SHA1 b4261f2ac2dbbb93cc29233436ac2f1ee1efae1b
SHA256 97530b70382c6fe65fc3bfd4ef07961665e33d329c7a5d4fe15e8edbab896372
SHA512 1905b607b029267dd5c648eb3c2f9ce2d184f44ce273cd6279211f05f489b1a33d5da9639085f84daac9baa9cb59a171cbbfbb0fc0de5a1ecc0632fed19cf6b9

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 bbad9be911be359c46eeef2eff7b71cc
SHA1 6490e8572a98e6dc384697da82307e5cf38cdc09
SHA256 3fbae3aca23119332ae5c351a4d901678366730116a56fa72485b2326f6440b8
SHA512 95610de09d24a2e9c4b40f853013faed208392c74a4d4c3a307d75b0a16b090405e6d12e7007286cd23ee4bd03d31605d874ae6f0e14f8caa23329d4c2fe3cc3

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 fb2165d1ad47968d208d4728bc504322
SHA1 27d7658ca6fe68f718cf019902fc8bf0744bd91a
SHA256 e07180b0a7f1631ed68e827daa3d2ded2fdbccadc5879291975f93de3cb636ae
SHA512 ab06c5136f7546f648c5a18cbb0dd6fdf238767efe22558b81b795c68a506c68a9f3509a9462383b7152c9017f0a6af3ef3cab687aeb118b37c3a5f3f8edbf8a

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 8e25290981fe6ae9e459d061c31e2dd7
SHA1 60a02cafc703b3ac3e44874b2dc9827cc11317b5
SHA256 96e61f0a2635d9e35438a93b4d8ede050c7aeb9d902cc25b7d752bf67346cdf4
SHA512 a35b3a07f9e95a2d62a4a99f444d2f9218de2c86cfd1eecb39e9fbba76ec7da616873f73bf4d16552880b67f050bc5e81d7ac7f55161b27fb76efddcbf6f1a04

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 aefe675ddb67d1829114d6dff0226cb8
SHA1 60796b83c2cafec3e4d41a6716b91af71082f845
SHA256 c4e4b72f1300fa58b56f4ef5fc45db5ac3d80f873cb6ab4f8411929b873e3bae
SHA512 bac472420fb6a28e77990aa11be2192391204d20559e1c7c87bc885f820550424b794cfb6be84f4d212bad931107b0aa20db7e43fb51ae128ec3482abc1e7073

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 a16116923ca68b58d16b720d9ef06f6d
SHA1 67e311457e7578e175120a58d269240c1523f46f
SHA256 24c21a9fc13b0301c0a89bcd9d8d1454b18b613c7d3677522d0212b41532e6d1
SHA512 590c9d4926fcec0742b6646bb7a1497d4a0d24f0627a66e7df8cffa0aeeb6cb9c62118fdebd2fe8dbff5b326d2246d4e96dbba38b6bb0b3dbbfe5edf57a8c704

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 81fc045e75efc637eab5ed651463d058
SHA1 12d04e610ab4320d3043ac8ab47ed98b96f9658e
SHA256 0f93772e7074d29516e8d5ffc028c5b5794c17c01427342e4f262836907e56ed
SHA512 c9ef638d7606780f38e1788eea5d420e47feb788b2ec07542b3e89ccf8ff8105eae10a7b3ee46078cd54582e7e12d3bbd079f3d21c2df2fe9e3935bcb34e11aa

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 2bb76e293c6274ef44fdc605d7108850
SHA1 1c07ef5c964dd59811df17c4bf97a91916bf753b
SHA256 5953e0d5916f72ec86e870206f48b607cd5b11018a7a2f77c02b807dad90597d
SHA512 1bdfd188dc182200fdb7f042598d3663ffcc7e57ec699fee4b4ce496f7f107bcb4f27d300dd22de3accaf59bd2e3b8c0845b1a4c89b15af6d88c272e48417831

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 aa091ffe28a08f643ec434d02677381d
SHA1 6a377a3fc0467318ae77c1a284a04cd8607dcbb7
SHA256 17f96a96ee916421fdeb6f874a703fed8cafc7807d388d65c5ea7672449d2f87
SHA512 038a5549a6688fe048c1d22f02e9b46f3e0c4e373c60aa71f3886e20dc0fc862343675c3bcbd8a377692c7d23f4788dc96559b748522fb815f7d444ef507f55a

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 069c27aacd0409c546b3bdf1c45395b7
SHA1 98202669062a797474099857cdf773008a38ae26
SHA256 54117e0731395583486d1d2091a866bd8cb011888d9e51a72252ae31a40142da
SHA512 16a93e3a1fda24d901141c711da394dfcb068197e323b3a68abf6bab9a96aeacbe0f3fe4c2be5795f46f0bf22babccf9d61f540b8f1c8d7b31ff7bc39b2a35fb

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 0db69b05f7c13f243af96eecd8b88826
SHA1 a4551e8e646374a4d1e7b3e3256e1f06db737737
SHA256 3126c7d50eb1a3b6343c827cd010088a8da368459bcf4e35e301786cc2c08f71
SHA512 2fb10deae035bbda6702ccc100de26e788d3a589d536496918d2df6ecc5959fcf0788afaf1df2e4b12adc173b3c3a7c03b5ba28a176f705621d4e436bb9b5c28

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 db849d9f57acf4bfa4cf3ab18812ca13
SHA1 0b413a8152f16cfeeb372a2b1da0ffdf82d7d944
SHA256 12a1999d04f302ee7da912168bf929197fe43d1562ce826f8aaf27ad40f440cd
SHA512 5caaaaaebeedc52920d2baab5ce13d20642b633f6abfa268d29746733fdbaf8277f994ff7c638a48944d723911d026a9eec627c08ebea64601872f29b193e639

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 fda5d608d4d6091e5bd7a71652e822c9
SHA1 6cc8553e16beebde1ea98dffc7c32edde4e569ad
SHA256 1d77769cce519dd1e0a9939b4d24ac09643d2ea98aa639f5fc9b3225b03e0e78
SHA512 0cf30c4def8c8c49b407a0a3101cdc84512c575d32878624373412167923e0a1aefa2e38981abeb7d38af5c79c15e67d194e074d5fa1de65fc7f6c47576b30b3

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 9779c711161fba30d06df553d4694ed1
SHA1 58793cef32f54f97bd0fc09dd041fd147cd37662
SHA256 9105dcc02933e1783ffc44ceb513e3a073c3c1642662e9442c74f6baeb74fe07
SHA512 f1179b4ed4c06392f6fda139c6fce881e752f5a069d7dbc59d4de6f7054bfbe5af193b3949a1d317a1288a5a2ffd8ac692e321b7554c46e49eaef8e2263724bd

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 f5edbdf6477e16543741e8231abbe922
SHA1 2888071df3f0b911db240b3d3acdfa3e9dc76ad7
SHA256 b14230b6a30acce8d7896728a3093aa4dde64bd9b317c13d8ec87b4b3a00761e
SHA512 01501fc6641723a04f58141f4ba3bf8719dbd1449231afe3b3d13060a3035614adb472718a3c852bd561beb9251f36ef9c5dc491899f8c33a94b1ce434344833

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 88f76c771e44df94b9fa01d5183de725
SHA1 b6eb889fbe4285179b1e7f70a382a93d901e296f
SHA256 7b661608392efd3ff99cc01174865a3fc2b85e1c04953caf35803cab2cc8c914
SHA512 4f73ab17ca7e198e880e818664c5ece845c490eda6ffb65f590eaa2ae46b8082e406b5501e7bed2541bea8b69de45c04d3abcd9329552367b515a183ab56a4bd

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 6d6a216d1cbadef59b85c37ae7935bcc
SHA1 137efb258e032e6b5b4b71d1c9bb073dadf7a210
SHA256 91d881c456b0cee41d1e45108471f76934472ba0e6a7a887711f39d04e4f150a
SHA512 16a0927cb465d92d4f86527eb2376d1133fd6840664bbc5ada5d3f6f032cb2e2e1efb5ca8efbeb7d97b8dfb56aeeef57a5c7d474606e41d7eb7008cb245e8e49

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 fdf2525c202f3eef526e00c7ac928d59
SHA1 0a0f0137581895073ad2dac726844f1e1e3b9fea
SHA256 bc2b94ede8fc8897b917b75ad26628484f7c138ecf08dde79cacd3c080bdb3f1
SHA512 c8f927e7b872b474a76ba10c378933733f7963ae74d9aa4a9b888d603b7386c98d39c2affa2976a73c4a9f7c7c8db3ca768006fb20a565ead2176f1ad978ea73

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 c7fa1c1c74cbd7a0f60e605af8c53e34
SHA1 ef0effd909df1834f1f489ea79847b5399ba8ca9
SHA256 539589f588ed45d312e9705e441592c836c5cb5fb4bf16c6a7ff4e943b896575
SHA512 39cca1733d9d19fdf579ebf4d98a9880e577250dad48cdfcdb8140ccde8528a7b941e3fb3e5a76c9144b827d6863eab087b9d784a7012efcc9f87d488dcb8563

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 69f1f4f870e1a2a444d810106b82acaf
SHA1 e473ea2b2c8d919c3c349654c50ec175a26380b5
SHA256 d6be0eec39e40d1e72e125e1a310e1fb4a5c22360d7b11ebdc0becab42c52089
SHA512 cbc9bc8e4fe87af855471d13a73697e35cfa1c1843f4c57c1a5ac072cb055ab39ec07a5c4a37ae4033edfb58371d99ca19a332ec1a5e6bca07ae746019d46bc8

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 bf47c6521e1c62d02ca25e78848ad104
SHA1 473a5d3d2dd4fb0254a58b07c1becb8000628a49
SHA256 28d1244f4b27e14abc90525795614873cce4a91ec007337106f6b2cf67749ff1
SHA512 9b33c2858d57949525c4f487325a8f959ddc3ebfc2d516bd545118303c7dd4d773c459c80dcb988d66ddfaef216b1a8fea55fd828c87b1d0d8d8c9588635c44d

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 490fbc1124000d1e3fc9f8f545ff2cb6
SHA1 8759d6915055c2a184f3bb756a0ad6e3c4706931
SHA256 67d6492b6e2029962ea8a16c1cc3f88e21f6c7045d746b04e3011128396e1e45
SHA512 59156023cd628608039beb2948a488b6771c4728a236b1d191b65257e1f13b94f6633f43207b598dd559a55951f18904dd6272767b9757c161029720ec39865a

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 d939a8f2bd90069a964fa8e7f0ffce2d
SHA1 8c2198b2415613fd44a9b9c7e6bb6c4ef6689481
SHA256 89a99975c2d04514261c87897a1790b8a65779c27ff7cc12c92fcaff9fe62ccd
SHA512 7268306a3570fe6f14951f37ad91f2bc72e0b8e76599e11702bc29f841291084f2bcbbaea9771b8bba9d3ed854d9857327f4745ef43be8e5479fac3f217251b0

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 7dbfe65a9b6d69d74d8c720c1706a152
SHA1 ae80aacc549aa3876da9b1b53398eeb8589f96ab
SHA256 b6778b8aad7d4d0e38f34771e07eac366d9479f72ce8abbe8416980db58c4fd6
SHA512 c340c97bf907aba141fa156e732dfb85db538cda4d749c71f7fb4073ada2d17230c0dfc75c849dc916f17aee1a9be27668cd462073b756035c118833460a8350

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 1d5af16baa251c430a0de8b7424fcd22
SHA1 42848a8be4c1068cee30bf01ad9cb59780cd5119
SHA256 703fdd0426739e09ebeda67a4f5dcaa586b74fafdb93d5d418abdb7b685cf7f6
SHA512 9a4e98f4ee11ee6ae34c0f8bd687a7471cb861f270bd945e5cec44c38d4cd560b6106b5a91a96697648da667fe3a3c7ab4d0e6109ee0e2df2bed70f7d622e642

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 f1784cbc488d13bb0d4674bb9b14ca7d
SHA1 d6f21ec3e9d0f5f76183e50630d4684a9e5bd978
SHA256 3f14767fedf214df1372d120566e9713ee379c70d768ef64aa924fa747704c42
SHA512 3dc78dbce3cb38f81388918df3e0b90ab816685b5abb00ef16febf51ed6d4085f8f0f39ddb5ac3d8a68767f1166f6572fed5c1a851954f5750aa40c1bc3a90d4

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 43f2616b4cb33a3f83a2d80d83c45313
SHA1 c2c6d599bbc386d5119b561bb2d0dfb34d87735a
SHA256 306683c283c5e89868488f5364bbf4abf5e1a96d58fad0e3a13478550fd43edc
SHA512 fbe163defd03f1f0de223c8a650d0d803eddc6a163d1ae8ae69ab78ac84a2f6d21128db9e8443e5a9fe65820f42af23c4a011059c6fbd946e9023f76098c3c79

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 9f8061e97f5fbe511d54b7d5ab531030
SHA1 3a30cc45c2033f54dd12168b86f6a6ce64adffea
SHA256 7fe42f616005f4b194cebeefda1c02e280b7b643c10d55f534975476bd37f01f
SHA512 bf02cb3e8af1e77f10f72febcb57887fbb07a75588c60298c4e0cda630f93341fc3486bdc34bd43e82af3cdea4d699d8b621fc8abfef72b58df2e38c6f365d1c

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 94bfc5b27bb5235ec96739856f74e8d4
SHA1 0b6fb55ce28db8ee48788fccb75af8bf2a7630ad
SHA256 32822eab86cb2d8eba9556fbd6f4a334e5f05478da97d7ac5a481e65cf58675f
SHA512 ed1167fb8ca8cc86114ed68b837aa7dbc85612c174e12ed9ebbe7e686572e90badbe603385c73c04fa4ed456cb427a09c05a08f8f6e260cae4b5883f189a301a

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 d73c7f593dd8b28a372d740749b6196b
SHA1 82f84625303ce0a5bed0f0168822500943e348ed
SHA256 418bb003eb4c41474b2b8c9c95234496ad8f452d37e7cf6762bdf0842cc40c16
SHA512 c59467310a6a8fd41bf406ea36d07a5779d106e5e3cce4cdb7a6644189aae766f56b8b2a0d9cda60ac61117fa14b39f19d44075be446f68c6ccee78f329d4097

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 4ba5776425b0216b0e036905ed5b8dfb
SHA1 991fc02e5564b376a02267618de9577c34eb026e
SHA256 c0064b07e40dc59f9451cae5071a94d08054b2ff59f279abfd8090c2189fdcf1
SHA512 b5cd0f4054081ee6e70ae54e4ae38ebc82a2d489650b5dab090eada859029d5c64add0b3b4a41d3a731f9aacf8f32be477898e9607b485b5d05dbeaa5a6a803d

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 31adb68b22aa0dc507a5367a319135fe
SHA1 9fe96aef497bae4582cb74c709d31039f125fd09
SHA256 9cbef05bcf5f1addf9cf5be0927c3937628c0881dbd08035678336dd7868459a
SHA512 3f79d38ea79aeede420f2c27be25a9dfa87ff0b240daac9c3c551cba18a861b28cb200ea0b617fe46ecb2f2a59f015ca46d85f9eeb4ddfb0377476b33499d5c6

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 0d1bf42339b2393c932cd6724b1dfb7c
SHA1 e752dfedcb56b21fb2db5aff17853ce5fe889102
SHA256 ba4097123a94e02a817e8a23a8fd3136259e2f652b6a9c225ee810411f81fa73
SHA512 bdb8c2d92cab3583e644c149b5e96beb8aa4c6a5ee0249a0680c87b479746e438002816e4b5d165a29784ce9fdcf56eb51761e556b9b86a1e5283eb2de47efad