Malware Analysis Report

2024-09-23 04:44

Sample ID 240614-azv82sxgrh
Target 948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe
SHA256 81c6a5c380b19623aa7969f180b1da07446188ed609f7ba4032b1e6dfcf6a8f2
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

81c6a5c380b19623aa7969f180b1da07446188ed609f7ba4032b1e6dfcf6a8f2

Threat Level: Likely malicious

The file 948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5233) files with added filename extension

Renames multiple (3914) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:39

Reported

2024-06-14 00:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe"

Signatures

Renames multiple (3914) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\fontconfig.properties.src.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\de-DE\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\mozavcodec.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe

"_customizations.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_customizations.xml.exe

MD5 64597401f3edc76e0efd0a9a59e5ba97
SHA1 22da604dd39ee49dc1c76ee4e2943766c243150c
SHA256 0c456adb8944e526690082f2903ad0f3a882e07550c54c027bf13b252b940425
SHA512 51c732fa7cfe4b4dfe99da36387ac688f798bb824488ce0e9898a9df8561c641dd36d6d62cd218f7189a0c7290f69955c17d1da3b9f54f23b6e459eea79d133e

\Windows\SysWOW64\Zombie.exe

MD5 08a9263db33ec03b42b4b72044f3a439
SHA1 a7e728cc8318f0ed20f2b09a77cf640a35bcd60d
SHA256 b770c9146deac1d6955c01c131db56bebc11728d00b78df9232c2b65200b35ae
SHA512 2fd53ba0cb1713a2e48709bff79398e6684b2b9b4135e47651f7db6e877be6e6ad99bad7554180c5aacd4b7c84ec3e804621f1cf19218c3f16778ed890a8f583

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.tmp

MD5 9c6509f5165954a9f1c91a473bdd4d28
SHA1 2be8ba8699c48b96704c392b6cde9ca39a163ca6
SHA256 bbe7e8b3060631a772007b33100b3e2df21ada9b3e4aed2cba27a64b80fa30ef
SHA512 ef584b7291d58611439f65bfb2a7f8a4d15bb1f36f643dd1cbe6ac2bd1dbf9eea8f1b9669925b5fdab037727da43a85c75f74c6a7f5f2c847550f4fb9d06129f

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe.tmp

MD5 6d45c48257b04cd0b7d1efa0a0455fab
SHA1 c07f63eb2e5533213eba2754988c75344f8c93e3
SHA256 f83bab7f3b09abd2def79680de619151e8467745491d2adb73b807480ce9702c
SHA512 5aec9248329d43555870e22dc7b55cdf1de8cca5210ed0c0b56f137be0983414ee161231bb69f26d05fc4c6660ed077e4e7c3cf53813229698dfdfa9b2535b82

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9e990e613f226475e657ca1f3596289f
SHA1 745cc14e65ef8a39a011efc2950ea134c62a9dd4
SHA256 b43a6634dc120965215d5f1d1a72788837b6ee1d77c2b4891ec0d724346eb39e
SHA512 831da0af1070ee0747318a4489ac30068cdcad4f36ba7b118d0d6f3d243589916624e1baf65b126ce84ab9fc99bb1111ff5a838382643a4ed0aa85527d048deb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 2d63fd55583c46602f32592efeab261b
SHA1 cc406a85229eeb9ba3743b0c209c9ef3a6c59d02
SHA256 b350e2d3e32783d0cf21122a83b57d365383001e5827f712f76f6744e56da1ef
SHA512 4e2117c77305d57510787509652ea62268c1a376aed9f9b8d917185214e8975cb6db0459424dffe17ecba25673952166383cae52aa5c3785bb24be812e24005c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 7f081db07ec7e90593b5ec08a9306fe4
SHA1 2995a225a2caf6fdd0a60a73a2ebace5da8c81f2
SHA256 94355513ead32662732fd3555343c28417a5ac81aaded921b91c3220b6990aab
SHA512 0e17f76f35e7c2bd24dba7aec2e82f627f67675fb639fb07ec3d69d4f70d8be594336ddb9e5296460443badc5896ecdc9574a79669ae075db8b2feba1ff270f8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 4078f90bb547834a9912ad3e954f5c58
SHA1 07d2af0116e0f52eb32695ab34e57cc2f259e6b1
SHA256 86c6a0c9ac219bcd41591da38a53b99c4042a515b37f93b365cf004262a44131
SHA512 5c2cbabc4d2668a63d9c9716ef08cfb804291c1782f3356c34706d32ad15d59589f45c5f2bc83c5d79cc8e4d0b650b76644f4ff7734bdb914b9c4741e5993f6f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 305a301f76538724cc75bcfbb56e7817
SHA1 968258672fcd68c1e572302d8181c8dd39707b78
SHA256 5042e4c8335a7211158c06c1afe907b1c6ca99884f24c21de5138f5a9eca16c4
SHA512 9a6a7b1f32d925583039c51a5e42497f9efe60492b40ed51fcbb3136b536910d16e2957e5150c96d28374f138adb8ba8ec70c227363f93add8fb9f56a446c05d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 4b0981966aa46540034623e9f9106541
SHA1 4e14aafc0562d7e95de7c1f0943ea565a895bf0a
SHA256 44a4347dc603720daf3d24cee4fd7458a9342bd24c659c10302b8d2ceba910aa
SHA512 33f975731a5680e7a793b831fad481c2c5eea25383cf7ca57219899088dd717db59c7faf3f56824f02c1fbb9cb50cf4e1cb64973606ac3bc292a1d885c008fac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 ff7b9b689813ccf5217bc24d2d6ca9f0
SHA1 4350745815fd16cac14fde3f30abafde48a6764b
SHA256 6420dca912f46e5957942b1e0a6d604f69c330b96635b9dc7b278503ca687757
SHA512 d64213a667cdd2757b19486e537a7ad85be7cbd3d1b4b19380e198943f09eb2f0b7a1a28204bac9b3511b862aef9261eb38558b3c17dfc1fb3934f033b53b542

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 fbdce2eeac1724d67f151e242153a67a
SHA1 c0cfb71e42aa3aace1c90593e2ebcfce41619baa
SHA256 208baea7df8ba52eed754053e8873f409e752a4ee56c896b10a652d638aa1245
SHA512 652df56208c2ac9364713eeefcf11ab8b513263e461bf08e39735dccd7cb63e6e2bc6be04605aa2c0718c88de80536d695e3f7ab874320fd7e0fec7a6d288a78

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 bac79fc8c9a75886f55ddee4adbe5f05
SHA1 ead729bbc64f40175bdfdbefcf6048a2fc718648
SHA256 77b54b5e48901808fa19bdd15fbcdb738570609f751654e5d247443e8e573d59
SHA512 d04018054e984a20e963ac8c52abcdb7fe30723d38651cd73d9319bba0b8177d42cb4c72357489c10a115109660d85ca71163d2a5b115859c38fe0e3f6811d05

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 94c0f5703ad8205c3132faa1f539d0c6
SHA1 f72c750e807456f4b01a7518436da04899cb7ce2
SHA256 0cb5960f64d9cb2b14ca2b7c2b2cf864337a4f75bc690265fa1667bfb741ca57
SHA512 186252789fb19e1541912b9c213375972ddfdde702afdd4ff72043cd00a0d9a704a331b38a3beb7d342579b92a4f6505d93fd8210ec6d6c92948b02449f881ac

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 422c09ddd1d232cf0b1d70198e21954c
SHA1 f45a3cfa7761c90e15c2e32879a8916518397c66
SHA256 1eec2464d2f3f2ff609530b61196474f2d63bf8a8d84b6cff55f44771f09bdf5
SHA512 4ec23f899c6746d4bc8d438b836e19daa1d4aeb37712c6cad5a39a472e45ca82c648aaa92a6b337e34e76b74df30f2f6bf7cf31b87026f9b887b24ef846c4624

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 72803747ea70e1f4deb02afa7d7b69d3
SHA1 524e566f7c1dc8ce3804d5568730485b7886fe94
SHA256 22df21cb465e2a5772e148d03a1a06e53df794877201a76c3b2f2ce22bf39071
SHA512 327b8d4b66407a8f89213e37daf5bc50be9e89e0b50f69ca1c41867bd80a32825954639ef0e0b0e9ca9f920de3898a23e2bd73cbf9d6b7a818cdaa78911c5219

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 28d28ab417d22cd537ebeca6803a9f45
SHA1 0c2df5d412838e7ba3d9d9403bfdf03fb0b069aa
SHA256 380fde71e03b72c4077a836445bf7358e95e4a3634532be61a6d042d6e0b04f0
SHA512 3b12e512b2ddca6b13d250a6ae888b83e9b3f50a0f8f4ffbed187caa7c02b5edf9064ea3eece3deec40c36faad54eb80b95109cca127fb0bd60cf4e645742b26

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 0d778538320dfa191229044a8258fa50
SHA1 2f4076f8936bfd274b2b2fd2bd2e753cb477b25d
SHA256 2405bfe712936297bfa85003b92a36d5ac7612edf832c033fba5eee87e0e35d7
SHA512 b01881abd9f0f9301371741745c4576726b1156bde978af434dd65dccefc5e83499c0e0e42b78b45510a30281e63d780436dcd614c0a3e31a05a796fd70a8d2a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 3376e1f2e2454200517ee72032f217d7
SHA1 ef3cd76fd2dcc8031a2bcc0bc0585c64f57f6432
SHA256 5fe75f310449e3818ed3558e2ba156780b57ff39cdedd0149e4b400126dfd523
SHA512 741ce9c56d345433b0c48ea56444276e4663b0bda6df8d0153f8efe0198f8132dca14cac5589766cc95df0fd6eb8b1b1e5f488c3269dd1733f3bb86703c159f4

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 dc28fe18a73559a24d3a405c70444eae
SHA1 271e84e0c8725b6da397db7670e83851d46f620b
SHA256 f4fbf795508ed1a118223799c6580b5a0befbf8c72f575608ceb575a161b64a1
SHA512 2d7eaa0f2838584af9a06df526f371297a2c6a5ff341d55ec39bf661418dfe692ef4fe5946888e2b60303e8bb187d6392fde70a778ae6c0b30363c7150d6b32b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.exe

MD5 2cf3d27f126b1d782c895d65cf5a4eba
SHA1 e22ec5c3e8dad0b8c644aba4fea713a159571327
SHA256 a54b35b6fc6200001589559c5f0449749627e34620f801e3570e855657360120
SHA512 cc7534ff40395d2a53dd80a0a5d7acaa8441fac168144a626fdceab47502fb0fc778b9b56951e0778eb170b28e7e03ab98066b3c2bceff3d31690ae396d77d9e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 a8ae13c63d5256ae3559207def33c955
SHA1 33d33b0c79b7c420eabe0f78c1fb3880d1554a8c
SHA256 ada383f08258619dcc6687f2dbfe0c4660208e5d1ead88c1447123e040334d1f
SHA512 a694dcbb7aa54b880c2ef71166dc7e04c08e14dee3ee7fe262990b029ddab140d79958b1a1d5c11fe67608dc8c7e72a52537011db02cc58d7ef85509981eb39d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 1aa902eb1fc61c72c229749960b08fc4
SHA1 ae5f8d25718b827384ff4ddb0535d7bcd337b8ce
SHA256 64d40719b4a2f2bcb14ec31d6059adc3bb63664e01552bd22f89981fb9554872
SHA512 4ec2dc1331a2cefee86d67444bf6d2ac9b253cb24017eebdf7a5a5c27207bb299beb9d36f9dfe95a83c179dc3ccfb6dc65bcc44241a3ce99a17e0f6e16ee347d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d38283dec9103524d6216cff16839046
SHA1 61595f97cb49bd82ce3d9413a5aa74fac1346816
SHA256 05e62b6ffa6cba445f0b00c0c6c143f71e535d27db8c4e804acb2559556cb743
SHA512 e88a5637ca704b5a8bd8561617f1315d0e1cb53dc42a72766fd1f1877bfa9f2927944e556fe44f048833476eb9574906317682ac63a1af29c142793896c9261a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 43606e2d5a78ab238bb79a38e4399e26
SHA1 b1a53ab550f3c7180ab09f411cff903ec88d562c
SHA256 b4519ea078c6c966b6ce4e00d8c891e6a7099c7e5efc05803196541a06c1e809
SHA512 88800419cb666539788886d2a30cd7a51a2c4b7b428adca759105e554b6fae5c2f685b15820c86d9ad7d191b3c54a5fb78b192a3108de8792a67ffcc84c8bc2d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 78efb04b83331b8495678c9ae1ac5f37
SHA1 ceeb627049a16ec27627ed877397139ce6c19f3c
SHA256 5ee603507fa6f1a87bf76df98542a3fbf311d94972ee98f4c061ff35761ceea3
SHA512 b04353b55ac34d35a166d8f2fdf65f095ddd3ee036c9dbddf8aabb385143173e28ad0e83d4c6a3175d9fb0030fe43444afbc1526b99b79f7679c9efa28a5a6c5

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.exe

MD5 370cb372e9d4505c33d85ee4be941dd7
SHA1 812f82383b52e1571ddc124dc884e05bc92c97dc
SHA256 c04a7fe8c2bed8dd9065bd7ae5b6ce3acd62d46e8a29d9be8fe4917abdd61dc9
SHA512 3fcdf722b0480e76a74d551bab8e46d6aee004360f84aa6ac1b44c7ea88d07d7e9c4e9a4b0583b23055887846edeebbc47315ab7011dc44e5cab25d2e1d827e0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 b2c80869e30d3975e18d929b33579c8b
SHA1 ad337a5fee76ecc6f9a260fdb4f09efbcb7bfea0
SHA256 9c644c3526819c1138482638a560e7f15bb84859e4e47d3691d2b0830af97090
SHA512 b64aa3ee8017b5ff45f6d0655e303922afe21df021e03593ccfb2c8b0f4103d682f915b6f2798183dab0adb85f293e95627709ace36d572a4f890988007d5ff8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.exe

MD5 a3a4cf405aa4b5dcb3d49ea49b5e19df
SHA1 dc8eb76eca6c02ba7805e0cd2d72b399f5751135
SHA256 98364420052b52fd74a39e952fc69eb3f04b8fd6cdf9d83efb99a18d8084932b
SHA512 cce3293502a4d615f8055f5af0940bf9c747631b724bf39d622ba4efc4090d6a81f0b51c01af59b93015d40d784a4fc8944a38f9a48842fb05422fc4ceee37b2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.exe

MD5 e25a4e2082f01b4bc01deed7b7f0626b
SHA1 59120eb942e060856c72f9c1e88dabf6467a522c
SHA256 c4fe4c81cea89129e91fc0d6c61aee903fbd37723bf18a1784c8539b7d842f95
SHA512 26939b01ac96f4788761624d310a4052cd1fa7beb716729ec387f81c947f27b3abfadf051906ab69bf80072aed98d3bf8eb9bc747b00d28aaa6b699f5410f0a9

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.exe

MD5 47ecb03421c8ca970b49cc1de395cf7c
SHA1 53202d2778074ce3ee795b3f7b56d96f545dfbd4
SHA256 e9919333d463f4ecda5c2980c082e7745aa3722f8396918fad3643832cf7ca57
SHA512 7b61e3483be29a4dba1936c6d546792179d6e17f3c45e24ec06502279dd1d279d32c5bb84621f30f5e761b40f27236fdab2b99bf42aeb5cb391c9188c67278d4

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1673a5747b9ea6c732faf17e00f00025
SHA1 cf57baa1fc909c44ed574e3e9d4135c539e2c154
SHA256 d3504cd9f686d6f18385e214c62e093f64d9240c06ee9159d9805e67df5a2c69
SHA512 71db1c2b8493e70924b6bb469f1e2a2d7a27d6e69aff1c017f6b203502018cf514fd2cc86d173642dba8e22f5bd58562c7086d7b6abb3c48f251c917f334c927

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 ab35fc71dfcc4144222d0d7993fb0242
SHA1 30a01eec73c12c9893e97b4ae61eba8c7dfb7e75
SHA256 32b86c0b3f12a28ca9968f357a2131dd8ef8b7fc3083a71e7c4c85483b2623e7
SHA512 f95142983c393b96b027e6d1ef1e7b6521d5373d645f8ad5c195ceb84499724284cf097f217207b5a11d0e1df6db0865491b5dbac6a4b4ae1996ed2e7fc8166c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 c37919a44fcaa937abd3808f0cc54158
SHA1 42e6ab1ca4ef3906cc56c9d4fb9a2546e30a176c
SHA256 2bfb82814f461d1b2da4535bce9d185a0cb90f5108170fee30411631e418e21c
SHA512 254c257e05d7ddbb0e8de6622f2f6718e9c3262e672012e10dfbfdcae20429987bfc22abf667fe86eecae8fbaa215cd8d6e573c91dfda4979b94db0dead819e7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 d10db0269c0340a17f2fe4d5172f5210
SHA1 3b40cb3e87ceecc712c9cb2e9fbf75d227839d29
SHA256 bba921a41e10614c0db5884470fe0d7ea12c2e92dc8c7ef8a9433c439e2bc716
SHA512 fcd2a284c5a0f732e45534c2f17e7bf6c996be6bf5f3107fb501f57cd006c48ad38ccb47c9c9cf2b4d038f95638c95918ebacff25b10eac72e9e5ec6d3b22735

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.exe

MD5 0d09d626023af68e0a9973bd9895a39f
SHA1 cdf40cd87124d3ba4517c248100121695b7c1a25
SHA256 e39ebb8ffd21f0ae3f095bf38554a9c0211d03769b447fec172ace7ae597b99b
SHA512 042b6e2f17cd42bfa018781739eb32cc23df019f6335956e624dd08a0db1c5f2f0f4d1f94f874450e7b9931bd3216f6ab61d694742e05e82df6cc1df3acfa6d8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 42c53d6691e43893203a529e9d47729c
SHA1 12e6bf22716b4921be9716e5042c411a3f4f8c21
SHA256 06ce69eef9ddc775b1ff3a630d655e0e66465bfc8213cac040e78de86d3e6b12
SHA512 9c760d30e0f333650fe4dedb9d42146832e745f995d710742ce199cd22cd82485ead4ebee6e27af905af524a3023193dafa766ca6121ff80160d27150931fd05

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.exe

MD5 3b5defa383af6435d59080d2ae0b9612
SHA1 de711ab65f6612c6125597414fa0b3e6c7a2ee80
SHA256 0d288e9c71921d6b8e8e3204916cda10bd79f6a026b748036e5273216e062dbb
SHA512 4a41ddaad28fecc7ff79b972b303053d58b9435dc4c59753b6de6a42e70dd301b00305b931442c9dae5787a7fd3492f0c3f5fdeaaaf75161e085ddd8a4b5d0db

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.exe

MD5 9c6f34af33a5d3edcce46ebdc8b31543
SHA1 6450b251018bdcb79d46975c7d66b7e06090fdd1
SHA256 c48faedeb8ce9f971869d31289508f2bf9be74fe917b0f4d8e5ea30796441c79
SHA512 374834daab334a8fd212a98a88cb9963165993fc8fd9bffd0d8713a10d6597591bee2b1121fa1002184a650e945f0ef56505b7a378dcff8f831968eabca8cfbd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 75cbc8b8ee76f2660926b2ed9b9c4637
SHA1 fc1208353499f74f0e333245b480417ffe7a6687
SHA256 966b6a5631302874954839c899d9361e402bb5363c7bf661b8bdfb53df3b2df7
SHA512 fecce2e65304f0b4baa37fc075cf616b42a6b7199c3fb93b03ac3fbc1da367cf5d95f0f02ff2279613c7d9573c1d84080857af50f3d47ea5382c9ecefec038d8

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.exe

MD5 8b97d3362641d745fa62dbd9bda86a80
SHA1 57f87a4093a47d0c9b43fcd0ea2b4706af8f0980
SHA256 97819c38631e6678d2bd396baca413259ba8257080edb94446090e15b557bb75
SHA512 0c3c41efe6316bc86c3e6914dfe35970d1923ec2eedfa0663f2216caa17301de43b8c2f9492a562eacefdc52fb79cd22c9beb74f3fd143c3f9c80c489c1a80a0

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.exe

MD5 e89da1759072b1c151f4cbc8ede77212
SHA1 2d58d62449e8822f7dbae11e10e831bbb121be5b
SHA256 2fe64a0ec2a71498d7a5c74d55584a0d9a3e592ea18215d7c2e324e773591c6b
SHA512 b49922639d486297864b19233784fa05c664c4101b5e557bcace4cb22e5a3bf6460caf774bdbcf03a1ce60d774af2bc919f48d626ced230dacaf68241c38a543

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.exe

MD5 7da7730b2b465d181be335b31468b942
SHA1 682b182ae52a5ea786d5984224bd3a26cec6722a
SHA256 28830300e223b57a658ed6ba75f81ba802dcb38ac468bc02c1849eac9e01c2f2
SHA512 57015d584310265549b24e83c9463415555eb8b641cf7612ba37a0cfae03761d598dbd8172aaa8272b9f27c45208a5389a65c9cebb735505c03cbcf5d5a6e2c4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.exe

MD5 ad1f6fc0582a817d92d955045b2fbe99
SHA1 398ed757f54b78d37fff722a0c8e94be00fe9901
SHA256 8c1c334bb91c9924986fd98abb89a28cc91e69fde76a4cc32ca08c8a29c0dc5b
SHA512 884914f213f3363a4a498ec71017b2b5e131e2db5f88d022b24aef920453add7b2bcd9f5efc423281803b4b3cd259372fc7ff893339470e5091ac0afbf03ccff

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.exe

MD5 e5fd39fa6d79d9ad38823b498dfef091
SHA1 590236d017bdeb5d24cf9f1b3e7986da44924f6a
SHA256 84d5c213071ebbd5c74285642d17b61ef849b0614c34f5342162694bbae06d4b
SHA512 0466f9ed0ddbd1b1c3fed6ff2f91aa5e514a10f673b7fe1ace7c6129b7b1b9e8b7643740eb0513f7bbb37f49e0cd68f5c6984c6e53db718dbff6d74a6097e76e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.exe

MD5 5f5d3596383d2b1fcfad022f4b25d296
SHA1 bf33345db99eb9630da7d0dcc3bf1e33361725ef
SHA256 daecadcf393addf5eb64dd4469a2d75075a61551bca89912243b75dd985972a6
SHA512 01b29c1e586d1c72ea8b3c0090b9ad5a42947910b1674d6fa87ad1ee57bc7c474cd932f13b5b9d56c60823d99c68643daccf69a842c597f3bed035363cdb39ae

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.exe

MD5 256b9602026fbde5f2a418226b94b0ab
SHA1 7cdd260d65fd338a3fe8e3f0d73d8269c92e6d04
SHA256 7337a3738e0f1dfb2ac962490257e743526ca966927e1dc1ad2aa9314f3b2e73
SHA512 730b6179c1a823a3b77172474d46038c21aecba29330e09d1892e2e737e31ca47fa1bae13014b9f8bf26d249a3d40fa6db88960f09802822e48206df047aca13

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.exe

MD5 c783789b140707d42ce97dc52c0c5fc5
SHA1 ed65c43674b6cb33aa1c3f5d7b7f3aa8b14cf649
SHA256 d4e9d224de2f33c9e1ce77a29dd6bb6df7be15109ba7df3c09e76398d3ae3f05
SHA512 b290cd85882cbde2d0c7cf2f9d2fa0aa8d0841d55904bcc99ead3e8fa1ff7179e1db30517d0390eebdf54d80d65254d2462bebbb33e1ee61e8d60d8cc0c563bc

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 3806bc2ff4e6b137d21b9120e97f1e28
SHA1 01fc961c3503c4d37e56dc45e213981575cba181
SHA256 6635b33f691abbaf333f2200dfc92008d9faf93ce26c5e623a70ab81d05127ae
SHA512 bb6752af98064d93c5f4e889dd3efe90a01ee9c7b62e1a456008870c338874d7c98131295d6cf63156f6ce5b7ddd77e031780f2b1d4fb05137edbdbebb407199

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 782437c69b636cd1dcc783b08509cb00
SHA1 06835f3b86ddfb2a1654a7f020ec51b67dccfc36
SHA256 559bbd429b0311c0f618667aa4844582624e500e1782d0e3ecbc0cee59758756
SHA512 cc1f5f15f8c2d940b5366c41c4e6ae376848f1ba43ad75fee26e5ee03eb34e0c02ec208afcb955b196ee694345a7d5eb3fbfd4f5a1f5fbd52f26f6083c55221e

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 d2a77799a9a7bd780383a2c60d0e2b78
SHA1 1112920a195f1cc5c10daa47e73894ed2f8a21c8
SHA256 16119ea07701cf8a6520b637a8fb1819eb5f4fdc6bbdd2f1827983a59f85170b
SHA512 bae246f5a40f9d972c134bdb482dff7efe9d766b33d61f705fb7f0e90bf76623b7c75909648d737aef5d632ecd08d68b44dc1e52ea56ad8dabe80e201af106f1

C:\Program Files\7-Zip\7z.dll.exe

MD5 f3c8ec55ef5c0d6d54e6597954d5f2a1
SHA1 88201b975e24d10693d7a3bd9b9598bbf61eb99d
SHA256 5f39413867f2e7b830a92935fbc2a2e3a8c7504fcbd254fe2bf731da3b8e7625
SHA512 ac1217cc8410946932825e2713cde2fe66f5ec89cefe482d3049fa8b91cd9b161270631134950501b71718cf7151897dc3e0ee3c0bbff11a1db1cc0539df4744

C:\Program Files\7-Zip\7z.exe

MD5 cc5d159d7311e5480114bf3c53e61206
SHA1 71235530c7f77b2b34497a38be6496bba0256163
SHA256 9e5c22cc4bc888af4e8ffa180d1dd818bb58f45d570bae521c86a28785758ceb
SHA512 fa273447e2c4dd4e41cf68de11eabb4b2d75199970d42077a85ecc324113ca8fe2d4c3f43bbb6e5937cd1d8337a29344ba21280ddb7017819d05630e465fb57d

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 2a155078aaaada150df9bc44736f9f84
SHA1 a9681af0b4cd32db7b5803400e672c5d437bd722
SHA256 9b8dc879ce3d7c0e67b990917fd1fab2e8057bca9bbd5518bf1af4b71458907c
SHA512 c7c9bf66df62fc2212528d16bd33d30cf1745db922a832a058c90036b265763d0d5cfe9bf315b5c0584de9c68ee7cd3982e10d443c6ea6fdb9e78d3825b81d63

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 429b71dd6fc553197136f7aefd4884ee
SHA1 dd41ad019a3a1c46f1f71dae16648b525f77abcf
SHA256 2b3a42dd9abdb43b79363242e6d42749e985ebc4874a1e71adb03e368a183915
SHA512 4a3794d7b547aa8772c084169ac6951df7f9b73328be67ea7c67c285b391f9f7bf9bda0be9e68132628da9979488801ec122e74963dcfb23c5c6b6262bb9f6ad

C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.tmp

MD5 0689f48672547c0631dff2c16a40de06
SHA1 edefbca56f5ecb25711722c5c859663a9ad861e7
SHA256 eddfa68119464f98610829aa3e101736c028518e47042246c9cca3959caf134c
SHA512 bf289e8930afda14f9aa899142e0fa18b2a551d356ed90bd5fdb83456f221c99c2d7cae19aefaa1858e13882f3414822bb9415a3589a086b1dc0a1d5bc16e015

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:39

Reported

2024-06-14 00:42

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe"

Signatures

Renames multiple (5233) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\948905358576ebf417f7768182bef1c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe

"_customizations.xml.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 08a9263db33ec03b42b4b72044f3a439
SHA1 a7e728cc8318f0ed20f2b09a77cf640a35bcd60d
SHA256 b770c9146deac1d6955c01c131db56bebc11728d00b78df9232c2b65200b35ae
SHA512 2fd53ba0cb1713a2e48709bff79398e6684b2b9b4135e47651f7db6e877be6e6ad99bad7554180c5aacd4b7c84ec3e804621f1cf19218c3f16778ed890a8f583

C:\Users\Admin\AppData\Local\Temp\_customizations.xml.exe

MD5 64597401f3edc76e0efd0a9a59e5ba97
SHA1 22da604dd39ee49dc1c76ee4e2943766c243150c
SHA256 0c456adb8944e526690082f2903ad0f3a882e07550c54c027bf13b252b940425
SHA512 51c732fa7cfe4b4dfe99da36387ac688f798bb824488ce0e9898a9df8561c641dd36d6d62cd218f7189a0c7290f69955c17d1da3b9f54f23b6e459eea79d133e

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.exe

MD5 1fbfba3c18a9c559bc641f60f194c4bf
SHA1 42f72d858b5d5311b079fb02185e7da8fa63fd7a
SHA256 370769d34a41b8df27531d91d82e0bc6e3983f64fb776a754b61672c236b3561
SHA512 d24b3b5766a313f031a8841c6c8b7a17ae3ecc2811b89d89565dded6aac0a7e5d8f15219759ee251a3da0ebecf83b3cb56ae3deb2ae1d9c104b33dea8f4eae05

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.exe.tmp

MD5 89272c1fa95d449a6ed7ed09e22fbd12
SHA1 54410090dc1b7ddfeb43ce186c8a7aea0aa8c8c0
SHA256 64eb41d6f57ed872da8a4fc00565c4f53bf0d496cc432071bc19889676cee7bc
SHA512 1671c031285d78b1d8592947675e766af6c860474f33902280a67ac171f34a52a6d980dbb1a772c6cbdc9a79b082a647b54dfbb445bbb545928fa94b1e6496b9

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 5b4284c298880a675429f42316995561
SHA1 1238402b13d8519441d616dc5de226b892555c3f
SHA256 74be0bc68c6ebf18e162b94aa28cbdb4302f8d984bd0e04b82efada40f671f47
SHA512 8b99b290225f67253aba2ef14ea63a23fcc0e38297b675f4f7977612b4726aa323843605759a92413aa5ad0ff99cbd614cc92e10367e55f0ab1f29fec673b042

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 be35c6a3d517d9b1e9873212fff50529
SHA1 6e58a82c200ea9d6bea367795831740504381bf3
SHA256 e65dc18910823d61acd6f99a61889a06742e0f2e8cdc1b4fb2c8884029c8df8f
SHA512 5c7aa7a5b6d76992cb72cfa534ff481061498fa430d44c21ebf932d1371ee2ee4fd282e05f9ef9ca8b0d28edbe75a8beb23bc09548466ce5474170b92d0bbead

C:\Program Files\7-Zip\7z.dll.tmp

MD5 1a3c4d037ab1b19cbc986f9709152447
SHA1 fed4cf15fd90f555483c82c1ea046855bfaefb46
SHA256 b57de0ec93bc65091ee576f4b812fc1e80970c34549c9682c9b2e73c863d27f0
SHA512 c2ab4d0d1a472ddd02dca7c00107f0b522b700933fd0a36f951b068b7693014dd940cf54415e146e496471752efa8572d605f2eaa7f5081d12140865a9a4bbf9

C:\Program Files\7-Zip\7z.exe.tmp

MD5 87baedfd6358f90fbe9546f0ab0d0db0
SHA1 4c49fd2ca4a9ee290d13cf44ec289dd0bfee58d5
SHA256 415346973722b5ffdd71c93330db6936a68170bd9f7f81c88a72f91467530e03
SHA512 24874b621260a7db3882e076e6f4227470024614df86d752f09f622c026adc116e5c369271c9e0e19640819620f897e9496f389123b7fdfe0b484292aef09b46

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 f5b78fe01f7180f92aa77b29ae0a2c34
SHA1 002773797420ece5b32889b6ed56e5956bb475cd
SHA256 d5dcb67578edf8f8eed3d6b98a23af757cdac2fb114df430f58265d2b1e757b9
SHA512 3e5bdebadb65af6d2466b43b7b211586daf82b2c553dd329da3720f72f14b18f4696b7a4bb6891d08adf4fca98051ef5904ae3e60cf2fdc2feac0f47b2f22d23

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 dffb2995373a711b094b491016cc22ff
SHA1 c42f65d6b44214ef121e096f35bace0420f5bd66
SHA256 8a015b1670cdc12ba455cc6593ed32d770f9ee91227194227831282ac6066f75
SHA512 7b858e04db51d084f10c7e2ccc872aef32a092f1a3273138321e5e803c1ad314187a3c227282cd7613b3f17de7c8ccd96446391b261bb55544b0ada1652c940f

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 82c3d4927c603587e0546cc6fc5e358b
SHA1 f738b8e76e05bc9d2cf6992851b05ed09ac4aa58
SHA256 6346a5a4e55b6eb80a832032b5ff91cda7c1464df762639d9602c2fa5acd03af
SHA512 6b324fcf1affc0d450f148bbb128b071d44a3327d725b5c6c657c230693824d5102b57974f51e88c2ad74bfd4e6be0d9e129a80f2ebe080f954dabfb2e77f025

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 4cf0e36e6a6c82711bb0a27a01151f35
SHA1 e0c7f6a40a8894afd634eab764c7dfb50535158f
SHA256 b99effe44215ed5ac2023edee951583636805bb0ec50825314bcadedd1f8e706
SHA512 691458a5361aaec4d26d341b35d377663138c6f7b5ea529f8b52f8912497c2ea1b14af288adfecd19dfb8a4ce38776a01267507bf85a6d3f10d8d1d79b168c50

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 06d3f18ecd05ec8f9b7ad21f4dfcc2fa
SHA1 580d5ff3f3f7442c30ffbda07341dce3929771a7
SHA256 58e8a00b83d13593e6c81536afa439f18b70d864cf2c7ef11ba66681a6adf821
SHA512 4be3a13badfc2057e3a024ea97e7f352739216882fa0dc378dca0f7bd1fdc072d0a33cd1db997e18765d3c8129b754e5518576715972d26838c7f10d6bc48724

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 cf1d99cd19c4e1f97eff2006b13d3239
SHA1 faa4cf88e60a56875a9949b0042dd0fe8b51d5f7
SHA256 cbd78a92cf37b655ceed36d1a85b31a8746c154b47a96431be478d4dda440b0c
SHA512 aed811f68f4e2a11e6b53d8d3698b0592b2abddbb62230171e2d9ec224d2cc3a58df001a3794e63f577177a9542d1cd90f5dd30371bd800fd20a1b9cb22bbce8

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 57312a5bd29003d31aa706ece29c11af
SHA1 1dc216c2edf233ac3bd3390509f746a2d9ba429d
SHA256 079c49e8249c038f831e50469d68a087b0ab8a4486ae76d66a6bbc94d8fe0629
SHA512 c1f4ad812caa4243d37dfbc300f29cf0a3ecd3ce027feb2c33358f980e133f02d27041b5460a6d1179e24f7243d9f9eef597924f59148326115fd152686846fc

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 e44c5406e6667b1d2e6fc8939767ca74
SHA1 729cea8e6cd18892359000777f5317652de63b8e
SHA256 a4834e2f5b5a1bf58441f15028cbbfeeb5fc2ae0c9983d1da4780151201bbd54
SHA512 74de4c9fba54835d7a91042fa6d437e8e2130469725351541d25ae5bf308d172de77bc325e93a98e92a9a759bd5d263e88737116518e9f3d59ca56603a3e29ad

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 6508f7ec1f0d0982c64468d595d00bc1
SHA1 8a4152a978e9bf5a381d2f631741b0eacff859cb
SHA256 ae5fca5a2ca1c78af7b1de271b6a30e7f5dc29e0b812f10146b9be5d6cf86065
SHA512 ac0e88c031abd1f29cd30baa9e80b1562eb161c3f94ca459aacc74980e1ad3d39f111f0434137e1a4f2ee5a253561ba6c550ae2f4ec7850f17696c431b97508e

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 a45f14a1076e72737fd86398ee382af5
SHA1 f2e892d09896760d19c40c8a4278977f8d461745
SHA256 b2e55ba99645a49b9cf39938e2ebab7d69175a8db125ae44a8ac312456ec89d3
SHA512 604baf5970acda51176c7a566d219c1931cdd18458187b22bbc5238fe35731aa02f12d675056fad47125600d6019b615a8d1b4254ebe449d1541d8771d147084

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 ec33d51ab20a84ceb0cdb11bea2a6f4b
SHA1 0a8d112c57aa46346d0de61422cc25b8e10d5186
SHA256 4dcd27160c70939d8e47b1845cd70863407bfe832415c2e662fccc8d59e66021
SHA512 bfca2de3de4a37acd8911baf5126990422cb885c0039a7420bcb98c0a63bc1b9867f8d95b9df3c51bc37607e7405cfb47412916b10170119177285834e3534bd

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 a5676ad775bf53b8b320f8a90726f231
SHA1 3ff8c2f09d09d504b2ad96c34eab0ea26a7aaff0
SHA256 587e2d689fc9a49e84dad109673a27595f4669cfeb81f6d1d6de278649315849
SHA512 95ccf1829a0f7c6323c2326c66e54292d14206f191cfc421bc14c5bdbf2773afe17cae8840ba24c8be5a2d9b1a05a8289297fd576ef2db213c5a92cab1b77f0f

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 3343235030c7129205d3fb217593859b
SHA1 e684b19b34e0e25ae650402db2d514ee203d7f7a
SHA256 e86d99f7abb7e52d77427b02b14fb528659058c1b0e085e0afb5db49e39f48c2
SHA512 03adcae19e11c6e4304a218eedac6f57dde8bcdcb99707674348e7c5e872d29fea90540d0e9d87ba0cfa4068bdd1d2a86609c7425dcec02572b739f22fc29b0c

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 73b3bf3ecd438c35b5142fe215ebc53b
SHA1 72ecd04430ff191d05eaa51052531c168b53dbfc
SHA256 5016a620878e5c6719e4a301a04084a1f257a0cae7fbdd27c456e6e928834f1f
SHA512 a47ff4c3cc24f3c3f49d6d1de5d199a80794f93f371ce38d61017710a9b29f5d2c6ab6ca1863aa396facf58759f2cb7b972400f5756377606558cf29199202f2

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 f5003c15cfeba6ccdfdafb3063b35b1e
SHA1 abf56a2b3ebdd0e3441a0c8eaf87c2ff6cadcdd7
SHA256 456477cbc3abd7fa2e987c6dbce087eea5d91feb881bcd447a663816e4ffdb20
SHA512 5e798daaa95a28f701eb835f16a20899d5dd8ce1bbd5c5ddbd4677c69830942ae5759eb7f1e0995a9265273f079c3eb655418d904486a158234649cd5fd7e131

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 73c3791f554fa250208361f78ba8b2de
SHA1 807695dddad19e1f47edd96c2909f61bfabce9e1
SHA256 bf48fe9eb05518c68d943c91d39b61bb5b6274fa429c688d9ab3fb991ad57298
SHA512 291240fa7928b98d07d2348dcbbb93d7079d9cab14663216a3e7859b8486acf642ef318c437aecc46ee33dc66770d3bdd866b99c82d92d54d1e6694787e9a4cb

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 4736ca9ebfe553077b259337cca43d28
SHA1 ae767023ca4269cfb95aaff416f548d1539639ed
SHA256 b09febd4cd3b4f1d48170110101cb08e928dab1f7487c42344f3d37a27a3893c
SHA512 7c1074f2267b0654e3a4b5d7b035fc9dbdd6e707f18f34dfe7c63d34af21337f4f36744e288fe72b79e48d07689986dd0d2abc0e341c5f79212615df32509b93

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 5b0cf6bc1bbbdcf3228ef2fd6223e702
SHA1 8734c9af81b781d6915d753d14e7c5f15572286e
SHA256 da616280583baa52e0ff984c726b05f3291a79de4b6cb369a049b6afe7532289
SHA512 4e4fda24f71135c709588a365861e90c5f61f478dd8ebb32b2f4afb810b80e07c94d0f7d5126c431b8bff70fcec3ad88abebdb44c02865be16d80cc31aecaf06

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 4387e2e1dc2dd35a25daabef61ef2c84
SHA1 ec946a04fde45e034f28c010d13e278c4e0d93fa
SHA256 ada65c7fe82c53f3a9b0fac07760bd752b9a27517f30f9ad995b518dec08df69
SHA512 85243861cba8cb0599bbc5ed73550c264711c9f73b818a4606cd020d0c97f5cb79ce4ca62f7ef9f10b8f005a0f3b4d5a57199b90b5605556b2cdae9b73081b82

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 c2e81c86143369d3b088988d7638aee7
SHA1 ef8d710a565c3174b86758427b9125778804096e
SHA256 f95fdee9ad93c1e6d091ce895072ea9d05376542f0098060a024de37b6a869ce
SHA512 acd97669a2e6f1dd311e835482d5aa5376c06e8144a84f57e0deac732add142ba380dca9d9912face9a1bbf190782b83d5e101b6f7fe0b8a7390f5fed2d92228

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 ff2c7515d4f6e9b0e0dfa4df5d69ac95
SHA1 48d001d004d1fb70ed87d01fcd5bbbb7d916ba3e
SHA256 404f22134bcfa612ae1c0907ed1093c022e30ff37bb6ba220584d3b2db0b6f6f
SHA512 076ed7b41d271e97a52afdcb20b586532e5144d2ded5c9f21f4cc5167e4d05b49264f270462af201f241796567d6da12076edd73e04538ed1cae3146f6543d36

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 19bff274d736b65ce0d22cfbc8cf4b37
SHA1 1e46ee70723572518c843e652a12b0dc6611288f
SHA256 2f1a2720e8ba1c861042fc4679900c06ea5ccff140e21a1cffb97983b506c8d9
SHA512 3c6818005e1e3edf82154a8228cc6f3b6ac3eb96c992f106558e1604d57bdfeaaac8917484965d85d240d17a44b1ba6ea36a521c5bedf37983d361753b042608

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 a633df9cf5d1414720a17c04c02e4624
SHA1 938af77cf0dec928f4ff1bde9f5b3d0b055524fd
SHA256 5e35fad68d8b23e38ada512fa7bcad81446ee620fd4620de00151c194c42fe13
SHA512 485392c95a32c67371b1172ae656aec00b1df1bf593b68bb90a6eb7fc2f5b939a9a30c591062b8b32aef0585f033886cf5473eaf53c769425de0eed4b8eb1716

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 bc8e4327e06a2d9eaae5a084de8de7d3
SHA1 820d99bda485c633f240e296562a91190ee7751e
SHA256 5ab31c5f65ea0b7be6d8d87412a625ceb3ea016378b707b196275453622ffff8
SHA512 b7fd7cdc44e51a99cf06862133bd708de852b1c2f841723021adc0a5256ef5f25903a6f35f8332e5a8ca3aea125957dac8828bfb795b734ef4db05e7889a5eba

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 62d829c1d7eff3178c10b83823191d59
SHA1 6f7900abcc3746673fa633bab1efcfd0c03b0571
SHA256 9d52697430eb77af2892a4c5d5a53840bb5e2e91798ada3e13f4ad75240e6a3f
SHA512 859d7758da97f6f94ac54e47d0d22591bce0eec8292ebb03234e6b33d844361675b74421bb7ea16d5f5c1c0897ed4abfec1ccfaa9e3e66c93d275eb254ea7168

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 beb57a58d9e66f3b607872e211375718
SHA1 4f5cee0b5dfc14a8097f953287daa67f2fea6aad
SHA256 56ee26ab5928a79d5e2f95ee9e4de0efcb52151ec61914eba7e5c880aa776603
SHA512 e06e47bea95a53c0261ba43df32bc44977e0db6597cef7c6f3198e3af9e5874484e1dcf325d1fc0ebc7a1b30096a36a0b687d47dd28019ab8645176db41edcf5

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 3acb2abc7492aa9d29c06f14f0327c59
SHA1 bcd0d3266877696a29c4d8967e65be2949b24797
SHA256 add926d7a59e20ea7053f25d16d10b5bd541d0cd2f8dcf56e346a830e84349c7
SHA512 44789a353a1d124486e024fef200efbb01b9ba2043a3857eefdeb93e567b7d8ea2b79d152b15e8ff53fd4bab116306fecb13a73d66654c3d902b79d8889d139d

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 27e042724a2f5cef220dfa3d2951c381
SHA1 e7d56cc3770038e6e13b9d194382b299c6e996f9
SHA256 a7bdfae5e72fad191944b013095d793ddea34eda43b3dc75f2b98039a0db9a71
SHA512 22dfe2d8d8dad55418aab4445b299799a5242043dabff7c3bb11805f04b813d00ff24fa82a72a06ae53fbb464de4f930befb33bb909a47fd60f2f0c58516bbf9

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 a8192fa3ff2cb0e6381c6d72fd96362d
SHA1 5b55d606ba806c41d2631dee7e506d215294639c
SHA256 1a732fe85bd7915a21d3e401298dfbe3c91886359d28274c10d5be706ccaa9a8
SHA512 3eeadbff56504d73ce7221a4d1104acaaecd8f8c6499e4e77a5e16276632bc03241221abefbbabffcfc315fe0dc295bb2070118e32fe26c22d709f30f11d0485

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 442a7b0651d3901ec28ae7c10dfaf85e
SHA1 7649e1852dd1de691d50713737961004e460b477
SHA256 e93e6fb26cac2959dd84004d7b2633184682ce3aadce5bb07640ba57d7d8b7fc
SHA512 aca5230506cad556d5a9a74f112817d58304d81117306f644a6f796ea93ef9a5634723ddaae13ec50185d0e412d359f18c8d0ffd0c4d1f72f00bd4c74098d4a3

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 46d8d7f7278c6fa2e28fdc9c02425f9e
SHA1 c0853c0e8955a13b4e90462ad262bdb8da593c8b
SHA256 2a2f2c2b25e6ace0ad9b6a39dbe66a62f72da2cd492db26c1a9af2321aa05034
SHA512 5c6546e42426019493b663cc7373c042ddcb318deecfeb867fcd0153d36f3debaed4fcec0083b56c7edbf831fc949e71c59ba395044db07b7351cefd6faee9b1

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 54d3adf848848b4741d82aa602cc9c17
SHA1 01970ac00d1993add8cdda061affc96fe64d3de5
SHA256 aa8e1f5835f011dc3ffbc9b1761399b35ef88daf68373a2fa178677dbe4a4174
SHA512 4d27b2fae17bad6b7c326055a3dceec78bf6947d8836823868ba38c95ffea256278bbae1aff678a07b3cedda817254830e73ffc18407ea22953c83f927dff3cf

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 c4d80c17c558daf70b2da6f4301fde52
SHA1 c67617fdc68990946bff5bb67b8385a4407b09d6
SHA256 1accdea3ea5b4846d7dcea1e4b7caa62c3647830990df42cdb8e3d853b8e5f10
SHA512 5604a370e84bd023dc6bff6ac0d0fad6340cff2a18dd1e340b780eff5891f0fcaeb206e0a70e0a7f062e88e0f9b3f7f1ea46beda5ef79a8be9777503481ada08

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 a8f94e56f1b974a434702c9150affcfa
SHA1 ef40633e020da5ee17a568e551b5f3bece197c56
SHA256 ba039b51cbc4c8f138dfb6d747b3ead06736710b5c3f55be829bc174de99c315
SHA512 1028752d0d822aa096b9886ea86737b361671d1502bde0b5c0f38c8c034268776f8e52fed448c1c5c1edc16f5933d4fc913c0f103e3b1806f4ef19d56dade63f

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 d301293edece00571fcd5b27e1828d29
SHA1 f5a3f7d1ea0de3e67114070e320747b5b06a2998
SHA256 a54c19ad7b099902f3429d21f1b9493693b63494bcff0213e78af6e96394cfc1
SHA512 5f10b2ce60ae25a5310e7736f381216aa1144b0c7e2a4c354c3c36b451ed03436d2215c0376b311a44cf53ecc58ee6602499938eec368f118a5cca61d0d792be

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 069e4c61dece15610b6868533414d7fa
SHA1 eeeff72178da894ff6c3e0257309c12f35c6769b
SHA256 ad80d22f2e4873c8ceba8dc7e29f3b54d9558a4cea275f02222ab35a4fcd9eef
SHA512 11e9241eeae033ff79429eaa934c23fa6f3960980f8001372eb8e7eb2496e7084dbfb0f6f8e98994a3e74e846f42fee9a30df05521f1bc96bf6b208bfe6b6905

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 1a010dd0e38ef08cabfe50662a90dcee
SHA1 282c3859da180426e2957f3cf9fd842780280c10
SHA256 127c59a85d9ced58464fcc0231c8468f9a665e263deb60d85d08890e69ad713c
SHA512 3d76445a4a045c805cb4baa17b624de55dc1505394bcd12ed6b491cee9d17e8349c663b3cac852235d7bf76f0d37bf86f38884c77ee419313d7dea504c0359ef

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 a083e74273f6160819b34611ca5be727
SHA1 263e37004e1adf9b86ab984f1802f13f9f3caa78
SHA256 c1bdea5f278f15d7323e1ebfb2a7be5da4e2019f847179a7a1117afd4ef2fa38
SHA512 36fce01f6e81c197c5611008ebd69be7dd06166192553c4c8fa392ed556d4aaca8ab0ffb4d8e2e808ad825dd3f1ec3e699f1cf21159176e4c04fdccc721ce38f

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 11ec36e3907a28aaebd6a2fc4289a594
SHA1 44c113be4a6b86e04f60d6fde769a4f68e675955
SHA256 7e7cc7ff60d76e3febef49952172049ab845b04b401518c3db95299c416b0cd2
SHA512 dc74da2120aa563b519efeea8cefc433a7d709fb877d2cd3d93c1d10423f4f7e82a6d42e0269a0d74c87a89eb2c44d599773178514aa741abb18aa3c83630b9e

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 c7b4020abcb8a608799822a61e85c6fa
SHA1 dc5fa855dc41f3f3a681f8244a985f1ec2161944
SHA256 3ea52529e33ca23ec4feaf8cdd8a7db6e695ecb670c1e8cc47dc50829706e6d4
SHA512 23ca966d5449474206fd1adb9934d738610745fed8de8f0b0b6fe4804d5e15d0d4afe85ecba9e900efd5e0345fc575421543c885f3980408bf81b03b9a176f0e

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 4c6716f067628e43d0b69f81e96ba473
SHA1 0f6e6a67c530fb51135cfa411753c0bb660b0f38
SHA256 54e4723378506ab77782e99c06f197e02e5e41bd7acb84f76c60c73c8b8e75f7
SHA512 e75dd190fc14d8140d633ada322f0ff30db65494df43e76004026d79867cc80d072e0ebcaee484aa5b2bd38e51e8c49e7b91f555b6139f62a846c7ca456f9129

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 f46046f03b7ceaca9646396af029cc5c
SHA1 2a6d10bebdcaac93ba69ed794d5893b5f45deee9
SHA256 1ece0280949fef1ed938e753b5f94dde61a1d3807b2711e11acb2555f0d39738
SHA512 6c34abd93a7f32f32b1393b7d4b0dde55c3e27d3e5e0fc8a731ae2422db1106d3bdd56311757731a973e191fc1ef163d2045f95892719e01927125f285a9014f

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 c4f438176f6a437bce93bb3f22159953
SHA1 e02d3d6adcd6be654173c053d5ff23969291e9ec
SHA256 56e6d496ab655092658807c69829bc915e5111794512f1684332b753d6dcf37e
SHA512 e7127bfff3dc817d2d6b1cff26987c29d0c9b83e90f48984719137ee8ba53a0b740746a826b50163ca53211e48e12b6ae356be6a9fa31a0643891ee5765fefc7

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 567741554697798977107e00d563eb37
SHA1 7099fd7c84f3b38d03c728465217d9bf1766a4f3
SHA256 f07a2d917ba5617f0ef3f5113c83e69a44c83819cb28b82588e0df21cf807ff8
SHA512 716000665cc7de11965c3a333c7a3d367056481a5f0e99f506ff1e0c8402317525dee96f43b8b8cce5a8e335b5320e826b6e14fa934cec1d5cff9870dd420d4b

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 84f28142c125cb1755ec19ca43b157ee
SHA1 d5560c7bf68231e9eede1459dcb9d4dcc6c13b57
SHA256 480ac982e0769fb029c5d81803e78509750cfb2e56823d3193b035996b814415
SHA512 0dd3caf49a3cbc4cd3975d64bd039d6a488ffd20e7c16aa863a2f8950fe80ff294c1f0f5d1d943f06f6607d5f61b5e196625eff00bcd0cf4423ea96e284bc217

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 cfa4fbedd23542138e3626a893bb8945
SHA1 36cb3ba1c83107dbcd34add4e67041817d75c059
SHA256 c6d27b308f028f7d4b76b5b90df06bd0f177c5de22fcca39f26468a0f5009b1e
SHA512 93f584de394493a1cac1b2aa1c36eec4a31f1075fde9e4505184da76eb540d4fd4417cfea1de27da9d6b83af11b6d2c72de739873333ae9368968dcd3a787d87

C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp

MD5 27668dd9ca5f802bf224cf5159d8febf
SHA1 c251a78e1558b0653be88a32273ebb5bc541a566
SHA256 19d0f90ce4fcfb02304358bc08a54c259d30226902fb3b5f1f4cf4a2f4bd3896
SHA512 58bdd958827ce69790e2d4d36a4d57d5f4d3b2bef89085e9540ab7885e758744808f64c93a86075b98e93bbe1fe52a6c13dacfdd244a872ad2e9b03e6eb2dde9