Malware Analysis Report

2024-09-23 05:02

Sample ID 240613-kejpma1dma
Target 6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe
SHA256 a06c1488ed2bba549c0164e12c0e29db41d3a1575166e89d7330b04bc4d40df3
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a06c1488ed2bba549c0164e12c0e29db41d3a1575166e89d7330b04bc4d40df3

Threat Level: Likely malicious

The file 6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5142) files with added filename extension

Renames multiple (589) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:30

Reported

2024-06-13 08:33

Platform

win7-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe"

Signatures

Renames multiple (589) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\sonicsptransform.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe

"_checksum.exe.config.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe

MD5 bba894138c0f42514057f34ccfd973c1
SHA1 c0c86e0cad8c16769b149124b049b92f285517fb
SHA256 71b59724fa05f7c128b810e621111b423324d339ea49d28564b87a86660508a1
SHA512 ecf25948f0c74373cc7f6b8bf84186e10a172847f3abf6e9b8d30bde8555cae0e44412b8ebd19bc8834f1f546fd9c32b0b26de9dbebdeee2d5a8e94e24fac250

\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 8a206402d9c3cfc305b37355b5006330
SHA1 9ede7f4a12d29d29ef5df0e3fddf8bde561e02e9
SHA256 8752826164afc2ec91d0914fe778ada0fd8ad379b2093d7156fbef67369994c8
SHA512 18704d1d6b1b952606a7c1c69000ebb6adc55ff037069f76c85d5fb0358a994e296dda8d79c7e8292b0081c77b3b225f8159b09b07931d3f25c569d79d247b1c

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe.tmp

MD5 dc10138fc80f9531630f22d3ccdec932
SHA1 e8ffe6b4e9499c72d90d46a52d01e5c7379e0d20
SHA256 c37f2f793002a995bd9f996d337d4e681f29a463fa1920cdfae5e465d702b04a
SHA512 6212a48d6630cb8355412af657e410e1d3a0a069462e487e7b06de3fcd2a9064ff185f4bcfdd0eda7f04c294389260898ce37cc6d204fa013c6ae8247abf3fca

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 959fb9762032cf420d4d09c7797ee34e
SHA1 91281a4d5cb345d42b556c946aa00e13cd67da35
SHA256 55ede31e6309ffe8c1609ea0f61b29ef9ee86eff968c77b72359488ca4255b2a
SHA512 c45f30324bff0fdacc86a617a525ea0569a2fbad4f3acaf6690d97c0dd44c22bdbd5271ab605d8c75d6f5ce9a6b62e6a7274cbaf5bdb5b295f0cf52ce3d42b8f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 94412a3080769eaa2db916047b2d5f68
SHA1 3d3b4fdbcb8ff84894e9593ca52f5d7ddf080332
SHA256 59d56546b835c4b4d7bb3e7b328352f9face28e719cf5eb89812170f422899a0
SHA512 559cc7edd91180579f1855e93320cd572b7d59c9f004d14e6397ec6e28b5932142486f592ded781892fd5c67abe9ed574c0cc6dfeaf285f1a55151ef4e8360c6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 ff070f7944ce2f36d8b6f05e14c03c0d
SHA1 79ce49cc0e7631fe1d05cc3bd6ddd22a8eda416e
SHA256 6d5be609f7a0b5c98db3c292afceadae0d0fe6198261a805f1a40926bbeef070
SHA512 e4d120c7459d8ac4fdfca8ab03df3cee59d3aae2986f4dff2b9d76e71ec0b65841b61802c53323fe085ff0721c3deada396cafda5a51c93fa52da07b3a6798fd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 e61ca948a30b8fac73f80d0dcefd6788
SHA1 f980d907acde91512fae31da0bfd16f84be97827
SHA256 73e089d88c8488876b8a4313af078c5d1bd4768a9ed10163e21b6cecdbf35bc2
SHA512 afb821b292bb1fa463c4218d5606ba0a379067f0c051e9b9a4b324b33b013582b52d3f9fd8a6a5cbfc930a3a5c353f0aa81921d612082f4d3edaeecf76f30660

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 3318069fd44405062b00cfcd0ac4ad5a
SHA1 eb43a7ee9bf3d255704a0a8a2dc1e20d9b902b16
SHA256 425fa9a3c327895316f1b43eeec1b46def9c28a441d5963f96c69f5e07d95944
SHA512 1c8c54ee608be381a01429858bb18e1b5d23c4ac455232cec14b13a1a22be2f25c5ee82e502ef6987e86e3b6e2dae87f5e03e74062b3cde1a803473b98685fd1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 fa20af878670984c9256913bb830c992
SHA1 d05047d4f60bfcb2b9f48a65b1eee2ece641212e
SHA256 9be13094c77f0aa8d9bf02264b37ac6b6f6fa646988cc7a57124515e674753d1
SHA512 242ad221aaf390bfc3c5524f8404630bccbe309b29b4fd1a1bc04a762aa4c3fcb5c2ff15b32f8ced0c55d4bc4904bf274caae19be5caa81ae02e536d3cba4091

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 6908a0157b884bb98c388e36a583e559
SHA1 f115cef162048a91a8ed13bb8983469b282b6e14
SHA256 82aa2d3463a0af9c52e95d381fd6fdef0c3a778bafa48917556182a3ab4450ae
SHA512 954a5f807e45b4ce238a88b61c66cf0cdafa97405642c00af73ef6677a93c50dcd280ba6fc5210bbb566ea07d1afb910e8f4afd6b7550e6b970e43d434874a25

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 b7bf3d5e3d7b0092af00829a65ce2efe
SHA1 59cd9b338b34315dccba3f940c16fa9b629644e2
SHA256 379d713f61b04583c731ac8cb3388df60093fd6495579023fee8335711c89bd2
SHA512 01589345b0bcd2015f416189f3c6b23d8d5c992e8c5ee2befcda956e4c4673a05e0803e0c7ade9da53a795ed0b21d94be32432dff4ab451ee65a89b671348f96

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 96cc1b4427ccf3653e59fe84c7c9275e
SHA1 d9bc4c49b3dd14f856709190d27384a715633b9e
SHA256 557ba9394d810d3618d5ffdfbfea8b927586e078fa6acfca72bf77b0340068ac
SHA512 86415dd137eed4fdf5ca94db1ecabad08137622aef7c015c95b76e1dae7c259c4e2a9bb31f889b037440b052ab7bbb8c288fe7099bcb9653927117c313546584

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 43d638bcb60f1517602dc316aa3d186c
SHA1 6aee9ae05b19aad0d8f0168079f985a12e8a0937
SHA256 cd474da09e277ae4f06d1892275aa99ccaef481a23d16e103a8eab67d59b930f
SHA512 d00d1fda7d1354e8cd9c1d633a6b60df017647dfb6decdb88bce3287090a12dc108d606c0944bd1ed14f3ee1fa3ece29abeac281bc656cdbed21e9652eab40c2

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 2300206a7182c2f8c11877694ac22057
SHA1 2c6ef5ba3e1c51a77c894c066a3859c34d91e8a5
SHA256 2a4cc41508734567b23c89ab62103911efb339f3829344e98c3a1eca0d62a3c1
SHA512 d67b373ece13596467a53e3f3350a9d0c19e9fe50e4b910e4895585f267ea3469467053c41c10d376914f939c8ff9e411a14017156217939b57f21065efe7e1b

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 9b5b421668ccb5bd3f620f7c4688677b
SHA1 c8249b296244e83fcc9e701c6ceaccd2110c8f39
SHA256 7897b5bbecec7ba5ebc03e21414c8dc8760e53c912f8c420b60316228c3c98e4
SHA512 ebfe3206cfc9c2e032224263ed7d902b682cb1119bcafdae15de8dffc03b26a510375d4e0d18991fb771a9e61aef0f55ba881c7a8dabe9b533ac8fcc86928fc3

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 5a04e55a255ab62b2343cbc9f6e8d681
SHA1 06296cd83fb24c67670ca1e041a24dd3fbd66f8a
SHA256 b33d207e10a681dc41c4fa5a8fed202d0b2b016bc4530c21256927114acdf4fa
SHA512 7cf4c8f5b73949efb12d25114818768d531293e1e5a975e31913cfca81611bcee63dc265587209cd387306b1b760619a3e0aeb4f6ec4133aab0ea80f77cf9b51

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 643003425658d9270653c7418179fdda
SHA1 213a96565d25276df4b58e7c673c3d094f56db44
SHA256 71a907010c81c56155dae6735e387396a7a73ab2767e6b0eee13c99139ae4700
SHA512 c5adf6268fb31bcd62c3e371ca81c0120fccd15accadeecc3f4ca5d7008c432ee2c0990736374f53b9c3ba52def81fc05ef6480fcb42f00d6f0ef021f46378e5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 38bd615b9acfb7ad235c6b0a9e33202b
SHA1 06bded5041cf72e171cdfcfb54b13ee679f7c910
SHA256 3526fb17ce5418b62530157f98de9aa3287a5359559c0bab2ae7eaeafafb0f25
SHA512 c15a83731fac4a109be269e1cf5f2dcf3384c1798f70ebcc0337daf4d20901220c23e5b1f774fe81923eafd4eb591bfd18f1226f4c5e43cb9ca86a86b27de479

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 e3d8dab09057e8333015966649340ebb
SHA1 915e795ed2eb9d25d4aed764bb2b9d4464be828e
SHA256 63228ba678bf0efc5eb3db51fce9b550e13f929418a2d371e65b4ed84b34e4b1
SHA512 65bad45a66a4b76eafc2ae97cf3c8a540f2d5387cd3ccb93dcdb02cdda90579142e48a8d77746f4b48e338ac9197d4835918c765fac80ef1216f8d1c4f2646e0

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 965b3bba01d5af35d981d0391cbf67f9
SHA1 f8dfacc1132d5e62341ff616b0653698aee788f8
SHA256 61ce11f0a78b540c2765793125b9131dfddcc5194ee949f416e0f55f8d480f27
SHA512 155e11b5177decaa3886021b62a2f2988c2816e8e29d3da9686237f06a532f6f225bab021a363befe41795d3f6f654ee08461ecae6589c6d05f264d99ce6fd67

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1646115063214d1b536605679e9ca35b
SHA1 c111facc3fffeb4ec6278e1ca1f49e46adf00313
SHA256 f3ceca48fc73d4414c975e9f7817aeec5c14e6e0332e8d4bd593dce625a547fa
SHA512 0434c555891873c0034b3abb723aa03fb5a7772fb57d2041e7c08237870f090bfa5394a59520a8e167a60c4b929f8681c2fad2580244a10a7bbcddb4412ed827

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 d975230678422b6b296172ed6eaa8924
SHA1 2d0d08a24feb95b211e77ee4e75af1cab59aa2cb
SHA256 c8ec6d7a9d3dc50f8d4042d44c77df4b2fe7a8f27cc41f30d5e08f9e5dca7877
SHA512 dfa01bb2032a2c118689bacedae243c2cbdf628e44486df97c4a52eaaaa059857fb04a8f8d9ee9b079c62175f0aeefa9b2850a53a3f5f775c93811b9578e764b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 2df57ce108cf13baf4b3bac6228ec3af
SHA1 b66c712a4ba530c1da2efd64c111d5019f7f7628
SHA256 385ee0e3f87c9979e675d4843e2dcc220f6b95749d890844d543859f8e5ae185
SHA512 76da4db3f69db2f6d7e4148c34921242e9c68212078053397b0485f2d9e1691fa4c205f5edce8ad548306375b86fa738412c7d83454a29074eddf1865ce83d3b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 cbaf1072070996d2178e4f610250696e
SHA1 4ee425a3a86eff51c770c2c4dbb7c1bff771d2e7
SHA256 765cbb04396c353ecba0782c573767c980c0647d456144ca3504d2f528f3ef51
SHA512 72b9aa4c1dabfefd97c4f21e04eccbd5bdf2f0d7d312e73f9881bad0a4e24a0ce594e9c1e042b6b7c82f00881a395fabd564a4602574da39ba1a3d585a489f96

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 ada2d03a534ed986cc42ff6ab5b0b991
SHA1 0be42b3775fae574257a9ee1025ee48e9b40a7cb
SHA256 db6ef5a52e2cd802f07379f0c3e2e596535ceedaf4ddb2f3ca13fae960f03767
SHA512 9e7e9435abcf33930a5d8b15c62740f548e2fc81992c41759c36c93408574c3968b02d39ca5d8cdeca2cba28fad4896a4b49933581a6d01afeb5b1fb06ab51a2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 0d2caab876f2a67da2b62b3ab10dd04d
SHA1 a269434adf24ceff24f1b483f264a9d69fb4f467
SHA256 9ac6ea520ff65b231201667e1c8d85538605776bd6945680f80911d24c9a5356
SHA512 a96c8c9f2a1fe106e811c4a3fcc06e41014177fe7f7c4798136a95a2743bd4460fa05e1d0fcc54b7e7f3b49e3bd67088e872b34696056bba606fac3f26a71c81

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 4f5d498bca1122e173296d35947ff439
SHA1 02302c8b0f4f8fefcd71f049a46461f95c5ced6e
SHA256 c81f25d5e1c027bc725b55fdc11470a7137728f6c151e9048fae6a8c2cf4a966
SHA512 6b1f10319814cda63a54c3677ade2bd7075ac10765b5480476b4c49c8aaada9161df9c20852515de815da5031bfdca97880bd1282afd32923470ee775ac27295

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 c4440221b08955bd2bdc8c25e6516303
SHA1 79efbd3bc51face1861467a1898061253d7ff6b9
SHA256 215917a2768c31fbf8bb55c35c11bb2c1c5fe865c30c3f8ce86d8f29e3711ee4
SHA512 9ada67aa33ffe3f01ead953cff263daa39ca703cd67f54416323514e735ea6fc7c584b79de598920dd80a29c64529505fd54a805353374c7a96834d37d2e9f5e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 06f264dd7488467ebc92a79a1c747d1d
SHA1 334552bfd90f733861d87d003243425def9ab7c4
SHA256 96b2dbb411c9ee80cde394403772bde027cba61292b95d099b445fc9e5b5e30c
SHA512 0ea7e43fe93e559868f33459fc2725559620777b6b05ccf0b1fbed8761c758ce58521834cb2cd4d850b65da51f0bdaabd51ba252a0b884580ef1210b5622d6bb

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 b51b9ddc801727668fcbdc27147d5b5c
SHA1 b34b9bd573ab8f74f0e770ba1790f2a3137d032b
SHA256 a9a0ec9a7b3016cd4275c44567d1e1da8600caf036865d5cd18a550dbbd0f68a
SHA512 782f5838a7caadbddc6bcd376f91e2b7d5cec7733d5cff976becfe7b9fac0af0f2e7c4c4b8d5c1b36c0bcdb329efcb97ce88ac00a25e70f5ffa6b638ea500fb7

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 465d4a7685d592e03c8c8d9cb73bf929
SHA1 5882782453b91dbd6700756dc39cbbb1b25674e3
SHA256 29f595f7932aabc4faa0d7863ce75c535d2f886c8e4796a0f8a9f123510355cb
SHA512 2da8dce4af58fee2017942e3482abcd48051ea7168e30f704c8b982852d735230b2e8dab9a4d4d5b1ebca4d5d42279fc5edf20bd5c573bfb7dbebf6fcc028acd

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 e34dce2a039c7624e8c0439ffacf04d8
SHA1 8d24d74e1a7cbdb54c8251354ce0758dcf1facac
SHA256 25a23c59fac32fecd63adfd0d329a6275d195cc025af9f5de85de75cf0567d24
SHA512 57a791344d4640c5251bc0916957caf45e7db36d03be7027b2c81317cbee893754021db2d9775a8a831249c73f0fbf707a4704da52bd3ef6d2882487ca2d4286

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 64af7eafb879bd33ac6664124e2ed667
SHA1 4ad3a2b06af8a400cc2a15be8c067c78890f19a0
SHA256 9ca0d58fb2bb124ae60cf54e076a8ccdc803aac5d5cfe3228768056ddbbe961a
SHA512 494071a856195d1e33676747dd77f26003e38765d5cd81d019a1f07a85677eb2a568f4c65df940a8436893f412950c25f9dc3aa867ecd624b8c37a104eed0933

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 65e6ac165f2d97b72a2a4f67f7aed8b0
SHA1 d270231481c36da5d24c4dffb1c861bf671a828d
SHA256 57b79474cca0a8fefa825992381ae1f5e873d10f96779e9bca0c74b92610b376
SHA512 ff5105dae3f787dea502a0ce1ae07997aafb159d5a621b1f45384352a5730c604467c9671402ba4c2e4dfb5bdfe2d1e7dbe5deeeaaf5245a44069c3d5e38c7bf

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 994b927d9a461eb28fdf6a5a3fedad01
SHA1 8536ae38a59b570581458f1afb01ac0780f4fa71
SHA256 198a7100eaa15500e0f4e901e07935872837c11c322acff8afa68b7468850367
SHA512 9ecba79f91c5038fffbad1466b13eab16f5efd693cc838c85f49d9b2e29957404ea7614dc2764fbd2dbaa40fe9980695cce1134908788fbfb5a263d9d3885314

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 3b855db23d73f1c029826c1fe369a1c4
SHA1 35b87f7587e3bc24f46c3323ded023f25b70d3aa
SHA256 522aeb0f5c33791f4bb42ec840c924c1877edeace5a597e8209f3d2400b09640
SHA512 3ba147bd084f2111f26528343509d65d274c15e793fceadc61aab79a655c1e13d3beb7f163982037fbe595d5f60089132faeac67e94b47e7a9240724ef2e3fe5

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 341df58b58a6852f4f026fe0395c3767
SHA1 95d7f834ea843dfb1ee10bd9021368d0528a0fdd
SHA256 caadd6087c3af47d47f4c51653be0dada961dc2834c20ba9d2627c5f3ec30399
SHA512 f997f1e67c74342303e0b9ea734675c921ad50c09e2132329d2bc386d9df53a26e4742f6a213e4ad3c2df8e7679ff40a721af4928adcabf382f68fcb321e2e37

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 cb6ba65fc1590322fa68be7bf0d00e5b
SHA1 6bf29ee476f5b8e4982231d09da7f729c3605562
SHA256 9fe953cc5350dc7df89e7e2ad8f62dff93082979eb9e1fef33feb718110450ef
SHA512 a2ce8ca49dd20f0927c66ebdfd88dc360d5f9943063bc259a077f21800d26cd4e77fe00d3fa2cee76821346efc65de136b9b8a3aef09d0764fb5b9ed3c9da1f1

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 30b6c7ab9c9592b2fe854b73868397b0
SHA1 c9f05149de755f0fd44bf23bf5d92ed79df87bdf
SHA256 31d0965d68f1148236293c4523c227c0304feef76a21f6d1392e3e9828903107
SHA512 3181f76bb916c521c69e29da69c1aa8e98f7bb87f67312c09c86d6aaa676f22c7040cab4b72de510684f62940ec6562cfe4ec369b5183379707b93d055b099d1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 4e9225c1e01c59b5269224415f3a2dcb
SHA1 02c4e1e8e898fd2b95df42426c1a1e115bb6ee8f
SHA256 a38381f4625ff6229e36ee2adedc9f4354c8cbe02d3f70e2b58494744647f6ed
SHA512 d767c06cce91f946eaa11953a66f23e435bc4c8c0c405d938036a20d45568f5f3c802de68931c959b10a3b24474fd7b51894c63b0cc9ee72df0df0355c7c103e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 f4d4f0c6e1898442eb40708c662e00ef
SHA1 8efb150eeaac7bcd184f4138522472bd5f2d18f8
SHA256 978d3c5c149eee29515f96cd3f1d3d99cda07378552ea4c03043314619cdb91c
SHA512 d356f9e6f106bf02673c7401eda3a030b69178e8a2ea90c98f0a4445b9fdb8e8ab6e5323dd4fb054f0379985809cf9342bf85ceb4c23e631d9ef325810efcfb0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 6360b2f1a5b92fe534169713a433e9dd
SHA1 be1031451a62500cd0e24b401fa1902587a37adc
SHA256 02f34e5a8ca8eb07f43c6608345600f38b24bf6c65ed181749382f9bd8379df1
SHA512 20e88154bf896d538149bad670850af3c3e60cb0594df26a116597aeecf7bc3de96a012df726439ac2014272b20500776ff96dcee23f2fa742032fa0b08ea63f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 82f227f0961bf51580f9b1eb8a088ccd
SHA1 ff3ccf567d35dc97d25c7b7f2099db428566385d
SHA256 4463e0cc724ecfb52c1922b1109b97c8b36c37e64d1d741ecc49ae33eb6e51f8
SHA512 7520243a9d729189e5af96a45d5d206be5a564eec91f4968b6a63dd41bd2bc377d32d22318bad47e246a9f4ac74bb84ca844c95b245d30b51c429954b2470e7d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 48cdf7d9d2a46705579d128bad352673
SHA1 adc13b0ffaf8c9577ef4183f56388a2f4edaf43d
SHA256 cac0150be9efd763bbf30812e7204a212f2dafb43dc6320c63724e7c78fa526d
SHA512 e50785ef8d2981a723e8f060f002ebe7867f7f9841ab3664e1ffed5179374ba7e7ff36217300202845ea0c320cc823fae0bb00d90d4d42cc364f5e508e2d9b1a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 4b1a1517c26a7e50cc30002e1d91b1c1
SHA1 c0ca514a7c88ee5930c9150100ecc664a919373d
SHA256 7920ead85561aeca1b5c159a6d3b2543f8682d2fdbca199434c0b03fd6b4599c
SHA512 4d41def08b686f00782d18cb7a0d27e9cf5a5b95dfa6a33c73c6050d2d1041b83f3db837dc60343a477c4189eba375a50daa33044899626cf13e697eed8b1095

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 6e5b1696c71543420917e1d78ed1ff30
SHA1 d3a2954514841fb7f64a4f75970e4285624b309b
SHA256 917f557819e3856702334927ff08d9be5e73b6f6cae66ea7b0566fa44c097a1e
SHA512 e71158ab4dd6015f8e4585064e8ffb324f37719f1f23f269f75247afa14e40cca4462b6264fd02d3c88b1078a4065e50c6ddf1bf532b9ec5933b3c7fab829270

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.exe

MD5 29525e55c40a7ee934a84d6d4b2cef8b
SHA1 a82c6910083288f64d844661e1e578259b233c11
SHA256 bbc0d190cd90b365339026e8a2d36620c1f62b42f5775e81b416ab86d9a4dd20
SHA512 64b3d87ce3de6fa69715c8954a32712994815af4ed0b3e801069f902761bdb1055b743024225cf2e25104f12f8631411d0e4a59088aded325686424b8690f241

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.exe

MD5 ef8001258685175993bc2737fa76e504
SHA1 737be3d9e4256f635113917cc4f8e6478c81ab7e
SHA256 7a48f662cf1cfc1861ca32fc91f9feb6aa9b498a81c5f0808409cb16dde448d8
SHA512 8ef980e132a923f944dc1eb1690b70d338cb708f9623dbfb5fe37eca62c0d9edbc01db39cd8e4536168081e63311870df5eb4a68f6beb5fce69225460c72a72f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 783aa931d2102bb30459f70aca247dcc
SHA1 f72f2a1f5fb87343e16b4dfb2f0e9eba045a354a
SHA256 b6ee2a5c5ee80f1d9b820592772338832679e157502f78f99c94fd1e9f0b3b62
SHA512 0834850520f281d5cf14e8b96d42b6695b231533fe6e5399d738886a79a6db1b9da165f1a95730546e7208feadf39d18fa22081620084ca37cdd74d0fe05f683

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 9372c95ebabea97296bf784f4435aa1a
SHA1 5e8e384b87a48e6c4aece648726d9238683fbf4c
SHA256 c688cd88a3f6084b0d8693994806c8e8ab33a59c4a1c4e5bd646c689aa901c7f
SHA512 49f5b1690ffe88c1ef86c5c5605bbadd61e3f2a227e1f70022ccb9586dacbd5ad555bdb629920701d4ac9acd1440542fb94c70ae7e8154e1e34606c810684ca4

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 b098e725ac1fc65e1ea04f450b82025b
SHA1 214a24622095a512b74d6801a95994ae59bd640b
SHA256 f93018c15c09abf8091506de0a4abda28f2183ba54caaf9df1f8c53bc57f6267
SHA512 3a9e69f47abbab3e4d9c6ecb84382602f9f515c0f7de6c2d78e98ea802dd6d1ad2c1d6eb23fbfbbc734b77fa78dccc516a8903422fa39e1e9d010961c7c00e30

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.tmp

MD5 193d83ad31720d2c72e16dfb3b184bed
SHA1 31065302511d45a9bff655e6b7d9a30e384eceb3
SHA256 783da04acf272125b250d520514242cfb47ab6d0e62df9ae7ea9d13ca4e2a144
SHA512 9a1249bae578492ce8b0060b9aa75d46b96baa906c4283f35440da8790cd62138aeb825e3971077fedb704cd22ede7f97034db5695d4900e510fda6b7e30cca5

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 9797c81029c7235b417662cba7d0eb09
SHA1 abde84caace03a20bd7dd5c6db9c9f79a0ce8352
SHA256 9f71bc50657d1ff2d88df603a71401dabc6d7d0a15bb82c7e6900e53413e7c57
SHA512 e6e101c54104a8dd93edf363a45451ffa1171c3e90a9fd8f211d35ab64efe97e2c3a40a1a321450301e9a77c33e4f581d6890a31a7b861a777642f03ff0956f9

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 21b75dfffdf151a9bf83919797f9c2d0
SHA1 2d848b5960872d7ef1bc7ff19bec53e93030deee
SHA256 01aa083cb0d82e8952bc5fab0203f5e0e636c8945170184447992c0d55c42a13
SHA512 9e45b3afc72899b6f71875b6d20690bf41582b5e5f5f54180e8630803c6fa9d0dba58192bfa993ecc83c794f7b89068dd731cc44d2ebee48ab32d102b12a0dd5

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.tmp

MD5 252b0f2c6f8ff15a741339580e26ddd0
SHA1 e8e6ab9a0754f37011c08eaf715386dbb10f4fb6
SHA256 51015b48bfb99de847610374e7d82251d9f2f4987162854913ebc2baf3ddc661
SHA512 d734531568c24e2c6a540f416d37c0b657849f286c0a149db6fe9de5a9c38daffb58fcf5586b9e8205c2a47873d259a405bdb906308e2eae84ad0b3ef573e18f

C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp

MD5 1f526abe6d40001ed8bcd3ca8af66655
SHA1 e1d71c70b69fae30be2717f9d8d18799445009ed
SHA256 9e006fc1b382427908d12832ef7a5e574cd734ff4132a690f40a2be600350872
SHA512 5a786c2cb27f3da472ff5bb684055d06fd717c6b15c12efdde78c30e1ae4269a074da6b9a618cd280fd12fe775716d5843b74516f338751b18c1b49520eb38cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:30

Reported

2024-06-13 08:33

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe"

Signatures

Renames multiple (5142) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sv.pak.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6cfe9926b438f728eadd4582124ca780_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe

"_checksum.exe.config.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_checksum.exe.config.exe

MD5 bba894138c0f42514057f34ccfd973c1
SHA1 c0c86e0cad8c16769b149124b049b92f285517fb
SHA256 71b59724fa05f7c128b810e621111b423324d339ea49d28564b87a86660508a1
SHA512 ecf25948f0c74373cc7f6b8bf84186e10a172847f3abf6e9b8d30bde8555cae0e44412b8ebd19bc8834f1f546fd9c32b0b26de9dbebdeee2d5a8e94e24fac250

C:\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe.tmp

MD5 a7e6c8ee80d3b788f662a09e8b50e23b
SHA1 8b483e267ce9efca662362db0d0dae3ec77fbbdf
SHA256 f7cbd8aea672f34d4f32ca290f9108520ca0ff880a95a74f79894869ccbdb373
SHA512 1e5fb5a2b85790972564643f252c9277ad8da5b5a19cc06f2d07c72e72f783bbdd0ef929af4b0ea5b81e8b5d5262d906c4abae2ee97ce01511136c474d8b97a7

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 3c0fd41c6ab9120df9fe35d43c9c360e
SHA1 8f9ec8d2e597fe41faa296683cbccb18d36716c0
SHA256 e8024e0e814f7d6aa5cc4be008cf422312cbd09c32d3f7b34db4e6754ca5ee84
SHA512 bec026497a4630e532882f7954a43985563a04de094ae908b76317299fcd937ac319c9d08230d48445b355dca23c7141b1a53818a94011af940461279f6d79b0

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 b32b7fe0823c359176eee91ff1495426
SHA1 ba3b0edeed30bd69b5fbb55954562393bdf46de4
SHA256 d0b02498d4c5cba3096c55034edf93c7146b27f4d8255a43a73c327cc875dc36
SHA512 b2719d41f14b4a603046719f388c0afabf17a45cdc5440df46f7fa76d4279761447965cdfba42acfa084e18997e2cddeea41f224a5cc7efaaf80676189acb343

C:\Program Files\7-Zip\7z.dll.tmp

MD5 47cfcca170665cf5adfd00825669c60d
SHA1 7ab4dbb431738521d04bae54823dd2126a98959b
SHA256 ebaee13937419e9653f52ac1607dcc30be802465bcc6d5f0e56ce5d8b271c0fe
SHA512 152d6f46cf2643da1a3eb439b3c524e1bfc52fc9ce06c3861b9c16dd15af1a93cf0e7fa1d709f6b52b66ae2a73d929f66b2ed0a04632188900890ab51c0cdf29

C:\Program Files\7-Zip\7z.exe

MD5 99b1f091dd57ff8a40152b4ae8b03f35
SHA1 fe8fca1fa879717be5f5375f235683fd39217009
SHA256 10683ffc08f8b0ac47c155a16f38efe1567d74d2541b3341d36c8d2bb2e7fd17
SHA512 277e1c034a057f7be3eece8f6fe4d35810b7bfa0f58b75ad7dfc7aaf0ceb086b5585a87c352bc14d440712512172a68f262c73208f5cdbb2b66352ba5ffd6d5b

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 3045748d2b44394a7a87e144bb66043a
SHA1 06fdfe530274b40f0906963b73311e7f3101d7e9
SHA256 c01652f3627e317da0e0b7ebbf4a52e0868936341fb87eb30cc7035c428c6b03
SHA512 e8d592a4f5ae7d215f6ece3e02c9d847a059cc9c84cead6e1c3a8a4493687190717c23ad958c1940000140de6b19e93fc446e73d9c995e7c3804fcf22da583f0

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 23fe774dd14fea48bb00e848984e1bf9
SHA1 714603adde07d0b19473da2be5c2c5a70fb78e5c
SHA256 177c9920abf35747481008366892ae864562573028e202f4eade0aeb38fbd0ec
SHA512 b5a00527b15065965dade70dcb413f20e9cfba7e7fc956928a8ea311190be20745c9c6b67ff696bd15d68011055c259c17e91761ef228f6e2c655a9060a96675

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 6ceb6d742454506f87bac0a9f4ba4774
SHA1 9b1b87defd7260e06f1c08935560247e03cd3f68
SHA256 2b5b4be3815bc4d48655a4099ff29b415fd4b6c3fb14237a45d7030f68dbc98e
SHA512 3525bd22f134bafff7d7c9e3ea4807fa60aa9d046a06f7b949b4005c9172667c130ee69dd93e1234788af91bd46742f15d05b1d262b12c9c0155b41fa5bafce3

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 76a5706a18c00b79304f3462e104398b
SHA1 24451e450464c9c3d26b9c54d3ebbcd3b3faf822
SHA256 cb77b6743a8ecb5485c66c0a790c04f40caceba7e43610c47485d14362f32fbc
SHA512 e24595c9701d2cf040452477155b10eb4704e92bc69496e4c274c74ddcd8b4c1f856c2e1cb13f75f6a702b5cb52a332b0af298d6763642afddadf7f0fbd2ce60

C:\Program Files\7-Zip\descript.ion.tmp

MD5 53ef4317a2911052f8e86202e83f1328
SHA1 78d81a98132d0496f419e2c3bae9423d2a9ec500
SHA256 9ce2f02a76543e21a711b0d88e333aa2e8f570c3252d121f0023298f51b0b1a7
SHA512 3bfd477dd1e25051f24d9dd2e9533c2a07c9f37974873a9aba199a8be852d6a3f2e8ddd9f66c7b3c06ab7408e43ead17c3e1d264268cce45a66384627990e2e1

C:\Program Files\7-Zip\History.txt.tmp

MD5 242a721e3f23ae3b31823f8a813185cd
SHA1 4595f09c4785a6203d5733ba98f450c238dd3a6c
SHA256 176447926bfd7e1af65cb5fbbd32ea6866234ee887087a5f494a70cc48ddd287
SHA512 68a49770c17733fe956b6f440d3371168178d25295c0cf72a73b765196911bd93fced44a8dc866df1840339d8f56b662d401f14f29cdc73460d6ba3af7435dab

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 d86bf5f522c408dc3a9450f8361c9aef
SHA1 43b2b5e10dc8586a2fc73aed3c804c997c3dca71
SHA256 b935a1518635a0aed9934562ebd91c487ad3d060cbb12c4f8a5f46e2ccb0df36
SHA512 3bf0709f029a8a81df6594d52ff4509740879438e794de61c34b82ae374d2f6b1b3a108e1b7b1c4909c924cb59746c52d9f7eb2277c719a45fd4f046a039d819

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 319298b3cfa7158feb06a537b14f17f2
SHA1 76af21f8345d891d3cbf1a5757c2759a7fc9af29
SHA256 50f9dfd8df6f0b775d3d354f75dad6f562e8bcfeb4da12f079a73d93fdd964c8
SHA512 9c1de314ce8b109f7e2cec29a7d02c77a902dc57bec061d9bb608fa7f14a669167cf89465469af164d2ec62ef2aa24747c5067fdd14580dc544439d9566ad54f

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 725f5a2236eec860895057498111e426
SHA1 57a65d01ac905792c4cc1ea17b8ac666715e56a9
SHA256 117f4019adbc6b84f3dee8c8ca931af59c4749b6c779ae119e15e3f26faed1a8
SHA512 b42db1c38e221565489da145e72d82154fc70e7074e0c8c99767195ca4ed175f36b10810415ce28ca919e121fb4302ca5985f809125aa3ba23323122b6f16669

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 5db96d9f24efc72bf312f94966136e96
SHA1 a0c6ac61ed6b876ae273f62aa95a905fd694e668
SHA256 86a117c8bcdbb20c93f4c0dfd86b9c075d489eaa00b33e39f27f5435ce68173b
SHA512 f1e911b84c1d44d52aa9c51072e715481a824ec8ca2f39d25bddf262d45e87b537ade7c50bcd8f2700e9e4328cab3dadfd5c43852e0c2db196b94257cb93b884

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 1d43f8bd780be375ab3d9afcb6b840d1
SHA1 879684309825bf25b6d4801f12d214c4852cd25f
SHA256 a506f33a13499a13d72e74f48b6aa767aa61b755c8fe0d0ee76d5b1043e55507
SHA512 e81fa5db7aeafd27257120255f5c7af0b5a278951bd7654697a0bdbe2062ee39933b3916a733f2a916c392df71fa1c28238480305a1fbf44a763a36831b2684b

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 6b0645333569acab14d641176e28b302
SHA1 5ffac8e1cf56eab5b2a45c3ddaa7387776278c99
SHA256 e71ec09b4befba24708eb775c18f20b00b8c1ea19e637457407d3f113f7a4314
SHA512 70061636309e4412a297702514fe69101812d9a8c20272cc2fae7b2dcc2ccc5d30fb6d4010afcc705294e9c17b3c9e4a8638d82d545aabe839a183d4c5bca290

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 34f85bf9e674d27b12e67dc29d9435cb
SHA1 a87d29dfca4e0a53af49842c02833d9363dd6edc
SHA256 c010e065b36037101e47f3b00b1dd347918024eae67519c43384fc6f624c3980
SHA512 f0b0b2f01bcdffab961a38b6b7c1dfa6563de82da393f685a0f63763276e54a4a3756a10e17982edc87b2d896ac97074338c30277c2258589c2c6e424c902e8c

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 8d4051c970107ff15407fc5827c5e56a
SHA1 caf6853fcce6bd84a88c08a374ae11b7569c56be
SHA256 830573419e24355f7a27b80bb3d5639349945c1a224e64a7fa22c40df56dfa12
SHA512 12d4ccac7e6cc1a5484ce879dfa90fa991070217ab5741d7ced62ffcb482da0da4d18971cc805fc1946c6c5e13be4e7ec49ace3cd940e33583922ba8da06051f

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 3c88682449a1ec914d04c1aca4376de9
SHA1 46bdd7e45fdfc20879db464ea2513ed564356862
SHA256 336c3c71ad529ac241039734652c9ba635bffc72588bf9e24545d47331aa5be6
SHA512 5ea07ccf59c3fe2e576a1be4bf1b692bd5db041eb68f8d851bbd7cd8f406c53e70cc483126365a5c75ce89e96454d818ee240871560062091579129c4a9757e0

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 1d83b28f623dd9457b01fc4668b88cdb
SHA1 51ab102cf6c25c56efbe3576a800ce9163bb9b25
SHA256 8cb5eff87bb8ba432e132115f32be274bad818f7ec50b24ec6c0fc0e8cda293e
SHA512 fbcd045a8c878adf55716b38dcf11d453d528b87f8327896a16d2396826812f0113e0474d14b580ca52bc8cdd19c76fb7d7f7fc5c51d955141a26c0bb66c10b8

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 c585721c107547012175b134d141591f
SHA1 a65664346a4600a4eae8780f83e9e60bc44df398
SHA256 2a8cb14f12e214229b89c7dc3e0a718b5d317a4920a6949d9de20032f9f7d329
SHA512 e3dfd01711e420c9df1ed136bd6f7135840b6c8d5f461d051239e079a44f01792677e7dd5180b632978cac146a814f0a656738f108a9fd07dfa978f50fd30230

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 43ab06362379068fc09a34a7e8aa75f7
SHA1 5bc9a6a823dfdb0caa597d4b29619d3eb61f8ef3
SHA256 ad24d23cc0e25636c1f366a75d1a477a1c5fd9d1eb81b0b4ebb6eb25ea7169f7
SHA512 6d3f18fb7a81c415d66e47ccbaee090771b73ebc715da8b2bd0e9cf6689e313e28fda821b4a1addc90cf1124146e088fe5e3d2ecc43aaf38a22d242b5d617edc

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 73b4e0cf1355b1a2ae51aa3485ebca5c
SHA1 c4531b6f8e6300254ae9a3e9fe77cdece20ddb65
SHA256 50198512cff58bf52e57464d98a2de9bc452b7407b4847c20bba07d3ba5f404a
SHA512 9188828cb3f88a71ad533080a351c4af1e71735f558cee77b370cdb0e731f783876157480d025bbcd1fb8affccdf35fe897245215f398271faf6a361a321ea1d

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 9797c81029c7235b417662cba7d0eb09
SHA1 abde84caace03a20bd7dd5c6db9c9f79a0ce8352
SHA256 9f71bc50657d1ff2d88df603a71401dabc6d7d0a15bb82c7e6900e53413e7c57
SHA512 e6e101c54104a8dd93edf363a45451ffa1171c3e90a9fd8f211d35ab64efe97e2c3a40a1a321450301e9a77c33e4f581d6890a31a7b861a777642f03ff0956f9

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 17b5d0985f7c0557144550131d3885df
SHA1 adc2772e13c91c6638f68dba8715946110533a36
SHA256 cbd6dd7e79bad8cc3d83e8d3e8c6dfb3c2a05c483e3d95062635c1b630f0a49f
SHA512 07a996a56f0f7a5d965c2be22fd68052452e14e6c8f151f99e0687e0b3d3a21aa94fab805042c4b6a63f0fc511700ce817fd94c81335872ee9c2baad2b4a2854

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 71d63dc004783190f6061487d5d22b9f
SHA1 dea0d37f24470d383376bce5d711e47adebdcf01
SHA256 131e927623328df318f17ff4c5c952c72d1c411bf8edf1751435979ff815cf9a
SHA512 2aa881e32fc204fbfe4913584ab70266c1d37b13391726333904c62509a84d6c553ecc45db34e6c10ecc4ba3aeb7c3f1b296b800b5219b10156facf708286bb4

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 df31b7fd5f68dba991b00290f0f0dcb0
SHA1 8a9463edba8b2bd9207d132ae24d56a35652cae4
SHA256 707e8cd43989ad1c15a95b727385521b847f88dd193a38efdc2b3d7b64987098
SHA512 a9f4564e742945a0babcc990ebf590e315f23d2d1ed74717fda9e6775f5fc51f564dab63df162b4fb79f25158a4cde15f3909ec9b4020d08368dd79e3b9993f3

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 621e82a2c65ccc1dc9a7aa46f9804e00
SHA1 a6b8159fda37a12ae04e3bdb6575e81e2d6f5c05
SHA256 e8a4b5ea65bc594ecef79e35482e596b0cf3ec9e3055abdb236333c017fb24ed
SHA512 a212f5b84b00290fc950262490bd46f3838f20677466e45c80419e5fb331e7ff3e491c1a684ea0fd8874367b603906346d13d5d6e0bacf01c816f3a077e9df5d

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 a8ac0aae048a66f93d20c38b957896ed
SHA1 836a739f9726457fb530cb76eea17eaa7eb6adaa
SHA256 39e5b1c8a212a4b84636d8ff28dbc4adea9c3d10d4fc414e75e8e3f4a6bfff67
SHA512 e9ae80611042d73832bacc34876add9b8489b2f9e036816a7d408cad40722d1e458093a406b273e115346b4fe26bcba6b4122a37d9347861807680edc5adf8d1

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 90682a52bfe1a5fbf05e4fa247f5442c
SHA1 a3fe2b37f200b2fa595b8f72700814e95bade20f
SHA256 ae93efd35dfb72d9699d9524df444fb90cf23a912dbe536f38df4e602188796c
SHA512 e2993fa29fc14d20b36bd8fdc1424b27c743a1459ea1111589989a91b2ce2bbf8a9272af8d4c3e25c8904d7c5bc0c823f8bae7457b9b9b665d65c5f0784e3598

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 6bcc01e49cb0e04ce433afea1a2ee21c
SHA1 2c3e5c995a2d344fbb42d30584b8216829fadb6c
SHA256 1afe4ddf0b38f19256aebcd6e8e542a34a69d7ad16815f1b568011f4aba1c81d
SHA512 e5c6f1adc003668b287d0fe8740fc1ff1c937a85ec5b933a62d9da14c80394130fd9fe27e51d35cf86accdb16053ca017a069f29fbec1d4f4acdf804dc72cfa9

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 b1ec5ea5744088e884ce5917fe43f690
SHA1 4f215094871633d6b3d82c39c8a722293c6891b6
SHA256 eb7e0b1c3e8c4ac85f7960e110c3ca8c180222b1140f3d3987b5ef79919892b3
SHA512 d4015f3582fc2763b720743158b5cb1a38f89d43e20d9a285665ec3676780a0394b8bd55290f788a7ac89649a4b535fe87df9056d75ed9f4e157f9b92197c674

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 32d95878cb1a95402c6ff6d0341cfbe5
SHA1 5ce87f5601f1e446668a2315a4604e77ec05035b
SHA256 0071c49a9675e387c5a6e5a520d27e8ce0acb0d91641742a4f4c13576cee88a5
SHA512 ace25def7dc849a4681f1d582aa32a46cd67dbff35d71522d128a1a45af605903d84a70fcb30de964eb6bba7098f1d174efe2979426317b1ba851322c2b67385

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 c3e703eb00ff6a76831337814bddd936
SHA1 97dc69c85b44e56ad866f29d2bda860c799f1d02
SHA256 73592566ae76dc6d994a05504503911a11f2285fd7a4cabb030eeb5388378b3a
SHA512 d8736ce52387c766a9268c1c921b26f317a629c1dc6ff19f5d8612af1a96f575df0033248c1147b95c57a9a0a87b6aab1712bb1d9e39eb7400f67b4064faf58e

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 9a82fbe9608adf62e6a92a70cd7d6a63
SHA1 db505b39c1f18c14afb04729750bbe69051aa727
SHA256 8067b023332501a744aa1f461e215d7d6dfe4ddc91bd2d102aa93b9a604e561d
SHA512 cb9bf2754ca6cf19da891905b0148d172dfbaa6216f42d47a91480023cf458c3f6810135c24eced7780b3e46b7a816a34501f1ddbfec196415cb86292e6e22bb

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 81b2c56ef2809649992399877491d1e7
SHA1 30b7711a0da07796a80f80f156abfee6f8d9639f
SHA256 66b7d6dd63199369a34e5f16db37a5bb3c8d946be5ad585f2fb0a8a2bf4cb3bd
SHA512 52ebd91372dd4b0178d65bd32eb0d53af0ab3704408996ca3419f73026d3c28f71f085884ce1c746b963ad1874848ccd05c94d10acefc435966e98f771d019bf

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 4de23b86b69d10b956d4b63e43b1d1de
SHA1 c24af48cf23e271078f62e589a02db91950bf2f0
SHA256 01ba2b68138885bbe1ef676853fa0d3e9bc5736f262cea1dda68da2d95f15281
SHA512 3095d23658583df3f4e59601f992ca7c709c5ae072aff79050a7fa7942d902097173573f5d0a7d19ce49b08d67ef9f3b51a887d59646be72c22399b0b019f35e

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 82b141319c64c8f2be1574794db29471
SHA1 10b0a9ed4797d37c30daab5da9d069e64cfd4b30
SHA256 60556d3c4e35e123b942b5abc56c4a833065502bec6000ce7b90d2b53278bc07
SHA512 ac9905dc9b9a4646ab608e144bfc2d27d0792217daeeda170e5fcf58afad628981b747aa56b115193a9e69fa05dc90386583052279d140b948c771b5859222f6

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 6907d6e41643086f282d1a8d70a62982
SHA1 47ad92c0ffa4f3e45abeac1d5bbdf6736d18c8f6
SHA256 30e59d4c75bd99ce92bac8df6591235b360a507d90a78758726bbe54914ead65
SHA512 bbd2299b8418f6a40cf064be5d8810c43b4d5f865e6f7a8d67a108265dbee3dd39a3fe9258adba7c98b7c9a726253abc374ad20d31660dbdb119461e41979be4

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 38a5e2f371e29dc1d7aa03561deb3877
SHA1 df563040f1a758160ac56d731f142efd0f69245b
SHA256 020bcdb6c3add32339501af5cdbadcf83fdb83b00ab366bed4ff2348183ec035
SHA512 1bacb6bfeef31bd5ca6045d2ad34af64afa48c88542ac126946d5be9c6506833fff674213f502aaaa63bda3ad148989c9db7beb01cbcc5c96e929244103ebcd8

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 ac58bf44561349224017f0078b174acc
SHA1 8a3c5e122577582a404775e85061231456e90e5a
SHA256 72b7c6d5bcd2b15b4a46834961144578a2c049f09e6fcc7629d59f3bd0eb626c
SHA512 f825deece40dd9a90856151dc363dd5bbcd9905f3a7dc10df3753a8e622120d646b104fbc8700c4ed477312e7c97e1aa2ff48571621655e32f6b61381f6e4e85

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 6385af49e4606e386d64c12ca823a6bb
SHA1 8a318adc2294d01a63043ba4d45ed84bb8be7a57
SHA256 db2eb24d85ac840b936091b8349b667ba1a5129322c75db05bd2bb50dcc61455
SHA512 526da6d30c0fe95bdb22226c77b4f16a39b24ef3dfc1c8d765163ea8827547ecba403e1f2f5ea8817808415206eefaff3a4ce04a60707f349c41dd525487349e

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 9ecf8e8c3df78db98ca03d254dae8ec3
SHA1 15148b2e64d9618aadd398ecf2cb8d170534cca3
SHA256 89a25d0909404c38723cea05802d81f474fddb901c548288d22187f428293cdc
SHA512 bedc57cbdc86f84172e81773565558a4b2c43fb9ccec36c81dd150d2d2401768dac8db13177915fba8f10d9d1c56cc77e04d46dc2c8eb388b2efb93263bd1d5a

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 b7f48992ab94a89f0b2c023098e13ad8
SHA1 08542722bc569889ac327b2ee82ff217dcdc3fe8
SHA256 1aa452f36487490cf22a8aca48ee5821445807b2708eb2ddbf176fa47e2f44a0
SHA512 b13674fa1117fefd44fc1daa6e6a2d2c6cd8bd306ba4dd4a299be57ee2bf3ac57bdddcc8ac154d7f633b16837874a119c54a20f2377ecffc0f9a272c40545ee4

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 77aebf6187cd28910c27ac56ff3b9520
SHA1 ecc2274f98fe9a40a80759a33eba5af8d148f64a
SHA256 0dd82042526cbddd152dd4181df3b5e71adcde5fabf67baf1c72029ec97667f3
SHA512 f429bcbf5fa62b5dffec90bea8990dbd9efea97f93803bf2a55fa3c34358324a6dae8973c3f9e7c64d341579dfe16f73ebab5049297f0f48d7c5cc8c19c7bb4b

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 8f11bea2107fdc89a6c310f2c8ed54b8
SHA1 05fbec1b0221c7d131b7df7ebe6dc90c1650b716
SHA256 cc7450f08dfccc970ae6cfdc710958e021ab57713570e869435debd1096630da
SHA512 b154f15e9fd56a8acd442a8c92e02619cc0089fc489e456fb7c0eae9ac341abe5ef069a5c5c1fff39a2bb03729092108d62d620820f2ab3391996815b1bf44a2

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 da61ad17b25947637e337e5e3ac430c5
SHA1 e836049319437ce8f07ec0d06f62c05659b811de
SHA256 fb8fa626b9e7319a9264b8c77051fb8fac6e44f6dca5970e6ca37db82b7c6924
SHA512 8fcfb176b0acb639b250ac094452abf65e4c2a8218a30265916fc25bcb6714a5eca0c62db26bfe7f8af0b96843693c803fc388c8b9256435c1bb95b5a2177bd3

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 b7168e5e91219fc1ec25328c339779b2
SHA1 b3fdc3d0796e5f2c29d02398ee1f240bd9842980
SHA256 76827ee18eecd9bb0107d04a0a8699588738a90bbc46dd78b764aa7530984b97
SHA512 1a87fbc4a8711550cb4ca430f4b1e48e372dbfb0a517477e7fd2efaa3edfe7297fc7a681b533aaeba349f3249ffb8416218ed6dbd3440f2235714eb62c34ccbe

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 83ffcd2ddab001ecf4fb32a7b879d51e
SHA1 e59bb87ca8bb9f685514f5ca463b42537b2b9a24
SHA256 c9cc90ab998f69bf4653ecc25858fd4a4d9b9046d6780b217f6e6e3716d886c9
SHA512 3a5435fb2e3dcfd68b5f5a1ff96d1fe1bef3441d000a217797c0db0bdb85ae6dc752e7991551e8e93c613e8e0947f6695ae5c2d8ec72b57dc080dd642d36f0db

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 788a5d4749a480be2487847fd678dcf7
SHA1 ef206eb240aa0fb8995e51a19f031ccd9d2b907f
SHA256 06468863a60eb1e410f274782487b2570eed5110c602b5cef1110efea6e09ba0
SHA512 2430d8e2025d621f790e07068f7cde864e20ceea5727993812f31ab333ce4d3e33cc1d129de026178f62c2d5605c18534090d5370d03ca88c519fb1bf48b6c1b

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 8c108e2ef0f27a67ffb9d8dd669a602f
SHA1 5289fef84ce3b484b038375a86750d43015e9748
SHA256 185a2161d4fe305f0d7784de116f6fb32db82fbdd3e45bbdf3376e95d74c30fd
SHA512 30ec2cffe86bba7da537e1894cd9445ce943d1fb7e05eaa73cd46b8e6e52ee37f567c93a0b236a236d260bdbc449df938e84da094b561787fb0c9358fd3c68b0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp

MD5 34f3b5a8f2d8f05d150c1bca711fbe76
SHA1 8c5f6e411b3283b73e42ffed62f7d11fe501c0c1
SHA256 83bf58726e4aa3a7af7052d68a22058d9e4a2415678668989c64d2cc06229574
SHA512 a3f7b1285ec3f23d1a81c5e00f85009682dff9a118d804e1fe9249ed58548e5fabb78ae1fad1fadce88d143d1f2ff10cd80f93c6f04e85d463789d5bb38013d3