Malware Analysis Report

2024-09-09 20:20

Sample ID 240614-bzw11stflr
Target 979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe
SHA256 b74504dfa36d686df68fc68723394e93a2e6778805c014d92cb0783f719a71f7
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b74504dfa36d686df68fc68723394e93a2e6778805c014d92cb0783f719a71f7

Threat Level: Likely malicious

The file 979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5140) files with added filename extension

Renames multiple (4490) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:35

Reported

2024-06-14 01:38

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe"

Signatures

Renames multiple (4490) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\WMPNSSUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe

"_VBScript Examples.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe

MD5 284f60d5626b0baa8cc4697129edd924
SHA1 35586c351222b12bcc10af3b4193ae4dc8531157
SHA256 252d4f2d1f4f4233055e910bbb0fcfd83526702863eeae91b019bb8ad59a9443
SHA512 70e30df94addb34fcac66060ce043d5808265cba112b81b4ca7f159ff213329d4b5ebdd2839164708377565490c1370b366ac74d4344e2d56ec97f9c1398b5cd

C:\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 2d06b265dc681dec66a42e7a58888819
SHA1 dc7c93eb9da69d1a42941cd1c689ee152e1b4e39
SHA256 53b24a90725fce31be8c52644292237cde8c591c8dca1c1327d755a51f2bc081
SHA512 836b3971c14b993562205fd172b2c66240e20b805ee0bbc1f94744749c165537a3ebe86bd7d9406e19a4c74f565be1ce78c6ec31c05bafdee98e944aa0deb224

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.exe.tmp

MD5 3012d10b68d4f493f207111b7280c888
SHA1 8ddfcc3f6da41a39ed635f8df0b968c38eca7f1a
SHA256 67714530cbbfe2e7f370084aed039e305c8883e2323cc198458aca1a73e2913b
SHA512 ae7c48f3f7430195032da58baf2d6a46bfd460186021ba18071339256d7538f122b8850b2a1e7eb20317886ffc86b428166b805441dd4febbbc8cdb19d6518c3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 52eaf2a581c0031092e0b5765265d134
SHA1 b55e8cf073eddf1a4abcef2b9d2cfd41d08b2ed4
SHA256 77e2f6bc1e951ab674ca81931391c45acad954962c589e3870864d3c13c019ee
SHA512 6776515600adb52776019a649a9aae21e95ab8bb517ee4acaeafbf65712fc45b5a5f9dbefb7558378fe7b2378af76e75ca52c0ce874818ff2e6731e08657db8a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 ca83b28429ed7ab74a00a9dd5d866862
SHA1 58bb7a32ffe687a40a6977aaeaee6fd472f65e45
SHA256 3dce2d40975f5442399a5269cfb811c8a664cf66f64ec1eee99e9e0f83a1796b
SHA512 56febb1f54b1d0a3ec2e75051705df21f94cc6bc0769c1b6a9eb0fa69a7a7f121992a9164dd1f2d1247be20d2d6df97000814ff0f303109f765f9009d06c37fb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 53856c779031f98ec48c5f8346f2fba7
SHA1 47b876a6697bfc2b5b5f911523c7e15990420c78
SHA256 6a01d3d11a178c61704813694ca3bc22f96e0fc3337d5f3157119e318c89198b
SHA512 74f2a46f919d52949fc4720be18622e9782548acbb61b67124773ce85c8514dc4bb262c6798070e1d46bea6a2e67433ec69416c2fa8df04a068a2772ab5a00b6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 65bf35db5f2fa4b0ad178d208dfbba98
SHA1 4299756f9939fbb4105487ea125836c04063c0a3
SHA256 99857c4214b9d401327e725c9e7d4bfbacb0f924cb2f0f7b241b6c86a90ed34b
SHA512 f3e554cd3527b1272f4887b9cd025af238a9a9546d2578e6bda34278a2973630356212cef3503fe3d45350aeca194a533f89f4110e2e4a9fd8fe4a123b7e8e2e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 c105aa982e6c2d6bd90831e90d8f2890
SHA1 64debac62900d18087c902e39035d9d0a41d6ffe
SHA256 ed501e91c59773da302ec6f4e5f9b8345e3b525b694e4022685361b4dcb91d83
SHA512 ead4cd6e305bdef328a46b75f9fb930af199bfa1d906a809833890418eab40d931b2c6ff15a8ad7e7d9777369d0053ef6cbacb4759a609bce76061550dc39e12

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 f4dcf5aab5bab7f99e078018aba9acc4
SHA1 4e91f89b6a20b1b44db9fc47e862e15cf6dbc136
SHA256 c8873faff3fcd4fd3cff628aa9f62403d7d9b32e2fcf2f40fb31d0c5a1996be6
SHA512 ffb7742f9376c5eda6aa3ff0a27c8142d5cfe35bb8747f28eb5479db5f1284f6176c152b51be70b518a7c9ac5ab716108a5ca5f95d02c1af9a5c95352d0c2f3b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 188c398193afcd223445591aae7793d2
SHA1 32cd8adb71e4e502cce103800d76b016c91d875e
SHA256 3d6103c8c451c482110d07b7f160c87542c0ddb6aa870d8e14a0d2ab644ed20b
SHA512 8be04bb06d2c43237037f98c3cb5a7891c1b39e95fb51c6f98aec304ad539fdadeffcd75ff1c192856d6391a8c545d376ba0f7738bce95cc6957523b241ac27a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 fcead97d499a6d58523a173321df7204
SHA1 66c1e22c84413220c397d8bdd52737d169e78fc0
SHA256 7d0c0bedac9bdd603b4c7f35298df569954dff9124d91b988229b597049df147
SHA512 351d0b5d10e649688bb89e736243058fffb0e260a976ffb17290a672bdddd039e3c84a17925487ca3ae983b2febe56215405f250e25dd35fd432c088ea41733f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 17d902ed122aebda130de45ac9dcad5a
SHA1 8cff5e1fa124564f1e1bb5562e4e3f5d32198240
SHA256 881dbd2b7a4d61c48c3bad92a19a16d3858cd3f75a9dd2cb44de607209e4e9c5
SHA512 fbb680520744fab6017d348a156e94e8c3009f20d115d640b81fa270a5adc81d72d063a451a6455d0540ef81c456a15bc9a2546237e166c86f4d2defd4365649

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 188805ab2ea9f84cc1aacb68b27b2154
SHA1 5c46dab1d386a76525b94bb67228c9ed173385a7
SHA256 74dd5b3e387e3d2243d645cc994c5a976a91979f71aab9bf384b9c04e6eb682a
SHA512 93df5aa58323bb5edbb36b64d1efffa9088a6eb6693a9f114242b3d3a2f3e65f998608211ac1dbde42a4f6edff8201cda79557af06ff0dc170ca630f97b86600

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 00eaf4b65fea7e09da65421c92d8bd32
SHA1 43c4a33521c9695d9703b247f2686ada9e003521
SHA256 eb3d4969095de464c952ef109d3dbd9bbae70b674a8d24b639f90476926c53ad
SHA512 d92d052394e26000e4c3eadd2ab90757299067ac503f4bc6bb77c89713011366b6f1e7a42b5ac93c9e6e7121084d88c6fb9a37e6dfb0badf79d0e4d0a6a76959

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 53068f172fa8efd8c76fcc781ec86e86
SHA1 5d76973a88d56f8d7fb511e121a773c745b0c2f9
SHA256 57bfcd8bd688017fed91449943ab9e168b73276463ffd9fee48ab3ba0ee02f12
SHA512 25692693252b5db18f0e0e2c1d2085bc439600e9acfb1dc61622dffcda77948271a3eed4e33673da3b8a6319aed237ca718c1746dad313a9fbdff0de0647043a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 0f1bf8342e7bec9a167148f04550d8d8
SHA1 dc50d4eeef4c641407f2cb380a7f2d4e6f85dcf6
SHA256 ecd92541353606d7f3123ae006909fcd791dd48f84cc22bc744a899c57cf7a61
SHA512 325764011178dcb121cd4b92ce744edb31329cf181746e8b2f537407d3757aa26a3fb33b0c0e58588c161b9c74265bd0a2301e41493197a3faba57e502dc5c50

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 863ae8fad88074e82b1739e90e1a02f7
SHA1 457d4c1a539c51e826b81cf9d050be766699ac91
SHA256 2d3a02cc2b95a2743b0895beb64dbfd91ceb9864d0c1885091fc47f0343b4799
SHA512 0e8561327cb2951277f49199d8a623cdbc0a3dfe9a95f284a76e4d69e1defa0cf6c000b4ab032ad6693474faf26f9e7e52e60078cdd7894310e212dbab40ac92

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 5e610e994a02944c9dfedc611dbd41ea
SHA1 88943b6695b458c4ab6fc1596281e8a1b772e57e
SHA256 1b4d143a41e4bf4ca989b644bb347ad95b5e634ebaa0ab3e5bcacf0f7694e0ab
SHA512 3f0d2f9c77318484b43848967aa3479af4b15de844f31224b2926920241755d0f1ed993d15566eb9f0dc60122d3a6491a8f6b5f4ba65da964d22bdc5af96e2ed

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4947d7cb75a1b28f90eed0dddb86bf37
SHA1 fe1b6981f6e3dc24ec475f0b8f424e89aab4c6dd
SHA256 4ec3f683ea1c222eb945bae934667df653d1658f9079beba892cb63b66b947fd
SHA512 d363057d9d867891ee53e485f5143a8db370948d61aac23c439e3ba80aa3d99217f45c77aece834a77c81aecd328c49a2fcab2407600cf0762e1fc00fcbbdf0b

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 cba8772ccb095853b63324220764a92a
SHA1 efecd0f3d6f7cf819cdd68de4210be7f6ee12958
SHA256 2499c4077735c02ba5cb8af06184b58135e03b20acc5281ad657eb7b15151785
SHA512 6d5e29764bb3dddc2a4bc47675285b3d24693213cc27006162558e9eed8bc6fef8e2bf41996e9ee02302edad4c68e80d92dad742751f9166f7a86c3c418c1860

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 c5ab97f04a3e112b1508ec6cf5d2838d
SHA1 486737ab8de877fd9ef1eb93b1628bee4cd2ecc2
SHA256 50a15d205d32d0e7271d840b7f114d891b3f8bdb568565e1825dddb077bee841
SHA512 fe0857ee2182c8802240f9bc8ea0111674302e5ba37e8a972133bf7ac60db53062649c226013e7e426d13f974833b38ef73d411f4300d8057f2bb54144936af4

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 6ce7f749d134e1db8b8ab8f856fd482a
SHA1 064a02814dc3b6bc3b8ab1c92ba98aefd6451cb9
SHA256 81ed06300fe605521fcc3feabe8240297fd26bcadc8aba73ebc2935c8a0a140a
SHA512 64f426a11b1384cb58b86e7babd3836a252c48dbfe55887ed3e6653557211240e0a148a888f060c216a8204517dd161a679ac65c430b976fdcd5fb924d9235ac

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 549466dd3432c5dda75f3f2972118661
SHA1 5d88b9f359393bf1f1a485ef97efc355e2bcb32b
SHA256 70f745d569a914e8f4439d8d8b9f7eb61f8506cfbcb86c4ecf808e3a6b4256eb
SHA512 8aa1ebb957fa624b997347a17ae24779e880d5c5585132317c9873e1ed0288d8619408be52db4739fbb68bb503df38200d69ac41e8e4b74bea5decfd918876ec

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 bbbc8d16a9afc4f0bf1de431af694a6e
SHA1 c789c09f6bf3537bc25afa489e7d30da6ea2bbf9
SHA256 e71b0c59cc61314a59a0b2977a53eae4a047dcb949838ffbef9ce4ec64fec6fb
SHA512 96d5468f0ec0da164179395bb1a8ef8fa11f9141960488fbec36aa0bd35d8752bcf016453c336ba0ea770411e88224eb5f56db3a2681a8668e349e4ee851877b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 510c7d2463cb35bd5b7fe794296647c2
SHA1 f1036ea275fedd222f633a48b25875e6756099e3
SHA256 991d0b51df497d3bf56dd1628de7ce11b102e4e27d7be6e65fee640b6eb98bd8
SHA512 134bff28258175c8e22d6ceae95070a3d605bbb086b998bc95baef19d5756774b8352ea55abf605115877c07d8c3610bddfc08a68e2ee76c567d892e704fedc6

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 e4d7f38478363a5eb794d76bee06c1e3
SHA1 b296d2025fa8670947a520cc2031ea8fd668727d
SHA256 fd669620b1f62e7aa62eddee176bde016000f50996794be3bb82ebf544ef7f59
SHA512 45a864cbb99fdde5d6701479397c5f4398ffac1d2791f52406f07ea657edbcf80745e0cfbc08f36df49a25d8e14259319f6d9289ac2d071fdf772502172996fa

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 7b059384659099f37bede77f18fdfef7
SHA1 03c30e48584350befae25ae49b94c2ad1b57985b
SHA256 f55f434eae60896a7e801edf1270fc8002d29d96e7e87b11594106cdd151e2d9
SHA512 0cbb1df0e9500cb339978bab05bd9189adbe7a699cb72188ed59ef83615aee5c82ecae6a1df4fcfb54aa97386f09e50e79aa815b8e32fe8c538f358a84458445

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 52b2a346ecae6d9555852a8d285952be
SHA1 5fe0fbb1d194172c24fbd526d5f6b6edca972f77
SHA256 ea134014a8de887e01a23114c89a2af9ab951f029754e3ee657619b20f313df2
SHA512 36c933ce443bff1f241c3eede0b5b3c7b0b9ccf989a08dd07420396de0ba6e97a2791f1f7eadbd0b466b476542a52c474cc3eaf21b908e35c76372b4dbdf8171

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 45f530d63c5b5591b99d46457c8ceef6
SHA1 ce0be6697d3fce2b9b760b8a7bb15c79121aee4f
SHA256 c6c5e55c713e6e9e9553e2f648f835c3f9e06f49cd98de2841019a5ee900a3f4
SHA512 d72afd63319b03065028816a8d76ea2e4c395fa63ca69d252608dcb39443836e388cb7e0ae7e44b3ed97c2c2b7e126bf94e613e2791413f823467932d8694a21

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 20920ebae4a0580e8b1367009cae08c2
SHA1 192349ddd112150bc81f7ab3e245ebd0b46d7fa1
SHA256 e9ede3f013b79f330d5271599a9979cf0a4b9cebfe81f5c922dc61da07d212ee
SHA512 9edb265244227ccad701bfee5f902054d601f3987d5df429b0f7079d1cb92207ef9fdda33dca0bdadbfe9596ef4fea8a49dcf57419e21964878733efba3912e3

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 9a79800a01cd1b262bc5b0c3d25b1603
SHA1 23bccda2eb38fdf7630ac521d20b6f0fedfcdb3f
SHA256 f33edc7f6192cadd442ba4741561f0dfd9479c22a6813fbf7e1a2485ee1889fb
SHA512 e04233f047428476d2f86604dcca0cc0cc977faf47207208efe54629721a5289dc24dc18cefcf57faf397f802c592f397841f207fb8ac6999b607798bea160ba

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 069b69fc79a684e0cd7953a3b4cdb6d4
SHA1 08a494cb86b89040e72d8691a855d71ecded6d33
SHA256 72c65f128299bc98c2f54f788c11de900059d1e7c10f96b929b716c582656e6f
SHA512 a281c4044024b246a6ab19afee4e37fdf7a8b52b2e7f62aaa6dc6a87caab0f7223ff4b9e4f303e3ea6a28ce0b033d22b990b892f00a2c17ef605697dd25c6d38

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 0737749f353ecf3d3c8ed4185b7b07c2
SHA1 1122c0cee30d51702a57188c85f51531cf55cc46
SHA256 6606642a603c5372a1f7b106eb54bee30191d39bc2648f0ff00c2811eab98e58
SHA512 df55afba6a5d09f770b7135cc808a39c60f0021f10cacd873837c20c71abcc9e73e0c4adc8fa0fa5f051588153ceb04db25471b539858172fd7f5267de92f566

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 f889a5559e286d09791301620e782bd9
SHA1 52c7a8aa86c1c07e7da60f1886ae0546a1dc1215
SHA256 efdc2b4573847f1d24cccfb4d00f2962230cc87fad19ddd50915930e3ff197ef
SHA512 7890b6f4325225229646936ade40959bb873fa4d6f90d40f6ddc97b15564a3e2a5558243caad6f020647882a4cff8d9e0e439d02f82290a07b2104621ce82f18

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 fb706d6d381050875c9cdd5b47477847
SHA1 d31932e2307b99f583fcb81ddb4628fb19c01067
SHA256 36cdbab7fd71d6baf5e6226da26df7325afea858ebf3c0d682ae4e87999e4f12
SHA512 338a895d53152abd5bbdd9fa3ebda9490855866e4bb741e0993365cd6bc1ccfeca9c0da3f74396e05441b27f1f0c9538c157a5723da67449cb3222fa41ed134c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 9797c81029c7235b417662cba7d0eb09
SHA1 abde84caace03a20bd7dd5c6db9c9f79a0ce8352
SHA256 9f71bc50657d1ff2d88df603a71401dabc6d7d0a15bb82c7e6900e53413e7c57
SHA512 e6e101c54104a8dd93edf363a45451ffa1171c3e90a9fd8f211d35ab64efe97e2c3a40a1a321450301e9a77c33e4f581d6890a31a7b861a777642f03ff0956f9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ae13cab22eb28e85a5f9e99217bfabfc
SHA1 83908f42a167ec03519669e9a85f9cb0fd3ad89d
SHA256 a2bf74363386a8084bc5e7babb5f265ba0dfb5bf868e7791789998487a376155
SHA512 802c44a5fd2cecf48b2e64b5fd1fe7942318dc26d5d725fb02c2775bde92e109e0d9151cdf6ddd38aa3b4791745eb261b077b2727f4028a79cfb8ea27c6a60da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 bb72149e4fd07a66e16e83bf71df1455
SHA1 ecd3e2e385f4aa88d5b013d171c8acf7997fca3c
SHA256 146104ea28a786906dc76db79911fd555411fa948b3507f1807bd1eb09e5eda4
SHA512 92cac790b38b6ff55a43b1bd6dcd508b70fd83e2d7fec2adb5d76eec5e7eee555ebaa7b193a54334581b30f296bdc20b4c1c741f31c6c6ee69df34dd18abe7ca

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 099299a3e8312186ecfac018969c7f89
SHA1 9b469819aeb20d266ca6acfb23bb7f1b6464f3a1
SHA256 11b15398e76919feb08abfaf4d88dd8985dad15b317ff91d13b13220eb39b57d
SHA512 4daa81d6589262e8dd4afe8864d31f5f56f539bb8bc73fe918160e4368ae6da3ec08e10cede159ef21e30880e20575657b64c1b7dc9c310a082f422f8e58eec6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 31585e66d8e6e5d82171a84567603379
SHA1 c517854a240a6a0673c8d63a70d0a62b0e7dddd6
SHA256 0507b3f6241dd6ccdf03bbdda6860fcf18e3a5e32e78a48b627ebf3afb555aa9
SHA512 4e434dfad41d0f628c53285ab91190bc604efcd484eca6fb889ff8215c17f57391f0579d690f676a71b8d60edf53c4121c7469b093e05213a0c46dd5fe0e9931

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 49bd12ee674cf4b24b6e0c2fe53dd6d1
SHA1 4f2f1a693d08c21acee53fc545e4f1f7546443ac
SHA256 5c8d9d3a9843b82e7a590ce81d7d040265ca09621dde5df005fa1b819c433d59
SHA512 6f69839f1ce713703fbc38ea2e15c06d54074a0792c42e8a08acc34559b4e375c040c492897192e9bcb161362faab81e775402f828469dfe48036fb240ac5970

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 b6f9a7e539242e91219e4c553bf5ff52
SHA1 6ed14ade83d830a1d0843a7a47054c988ccb0c01
SHA256 51417318f9261be579d321cb5e9f5e58037db43d955d1efa2a75c0250e2d478a
SHA512 126de20deb76a07bd1dc1ea347a11982312c549b36642b6813478112d7081b35bbb110288ce5c9bd88b921273e9cc642c477bc27628ea1ffc137b1bbc2c54b20

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 dceb515cab9279179206d788efec3e98
SHA1 fda7d05e9e3140dc8effbe5d069642e3c1efedcf
SHA256 9a94e007dcc672424c0d1c28c2baed7b5f3c7a89e4d9f5dd437b881080afe06b
SHA512 f531510f26e8e1aaaadc803ecc65009e9da9bb04ba875f983f68271b56ee15bd9d0b5f955fbb8233f62a55bcdeeebda63adb5487c4668da26d8c82b64724cbd2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 131f9eafa270122d3ebd84cec80b54d3
SHA1 ac0152d1a8586fdf4f6fa28462dc58cec3dfc5b1
SHA256 e5effe167ed465b2d81424e6c363518e9ce60353d78bed09b4358ac2935eaca3
SHA512 606dd8bb65531fd11cab278be00e5a8e72e3f97b8e5590fbef6583dcf6dc38b835b28923753038908517bc5d2e8703fb917cf9e465a36c891c9e8324f1a63ac7

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 daf44ab87b7d288e47cf5724cc97d0ff
SHA1 e5841a68d742b9e86fa5e63bd6b24e4b8684c38f
SHA256 08cebf070befdae9126a848c3e9c6a464332898147016b1fd4445937cd31941a
SHA512 fa2eb11a2faa3535b7f410c3a5bf096fb265f44ae2bfcdede3bdd187e4ca67ab5a250d3e67a72feadf270424268478cff1f93bd6564535a045ec94e716c3f22c

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 93acd95e7fa7441efdd23a9e208e7ab1
SHA1 a4d5bbcc06dece3a7c3e4405da95fcb44f9a1050
SHA256 8105b46fcf7dfb30bbaeaba13d359a505a8c2d95ab3334c0351e389f53c73be8
SHA512 96fbe3a06119689cbe33f70597bb6f33eb4318c4bce1bf262fba691b7d2f86ca227659c308299a9755660b85629fe44b8d5ac1b7bc4bc5dec1a566f1ef1a0311

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 ccfc3ba9287d4b7054b245a3245aa746
SHA1 0a972cf88a711a681701d33c76cc047ab34ab788
SHA256 b91d1af0bb5590561707102c55ed7a4e9e072d933f9a435236de2fe46e4b677d
SHA512 f4dd71b2360052d31c6cff9a6c8378b1451ce9ad19c680171e7f569d4ed0d927595f8689a235a1bc72ac328f4f96ef44c7968bf9782c0030ebefc0e3d8fbb481

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 043186189591784d6be5c27955e8c613
SHA1 9c799e84f5d71077e19a0ff797d8a6ad6d3255a4
SHA256 c84f982a4e7cebbdbd38fbee743ec8858adb7fae684ffe9610efd2c523120ed5
SHA512 87839ad3855b342c349dc6a3e13faa2495d9200eef7562095b897645cb2e6ea5fa979b0f0753ceba58715a0816e5e29b92d00cea35ad09d8e4b0faf5b81fa941

C:\Program Files\7-Zip\7z.dll.exe

MD5 2029c62159dbeee76afec4219c941548
SHA1 68f961a2e5e080c33ecee08b44e0373453c4e060
SHA256 c0d1ba6dd971dca046c63d4b791ac6061011c90d7777030a39a72546410c123a
SHA512 503335a305d12a6ba20253ee0f2bdcc08d59b7b2bc3b9a5505d9991c0e25854de081d31ab873a13f77479697c975f2c44ef826ebe8afb72fd09a82c4bbd8e901

C:\Program Files\7-Zip\7z.exe

MD5 7daca5bf71a76f6a312d61adb80a075b
SHA1 1fcbd1a6394f2f20c88f47c9010026a66231e907
SHA256 49743ca5668fcff6f7085dbce410a96401c969bf91fff786fd29f5cf18397382
SHA512 473a51332d8481c07b9660890a3aececf004ec2581b65d266a94e89e5da1c0c845b0f22b100488ade2641507821f46caaecd4a70839a6d624848cfb5229d06ee

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 bf72d84d5253b0a15b2095b9ee8158e6
SHA1 bd758c577998411de8c35a1a69069ba607872aab
SHA256 34d55a5ebea193898fb67271be2d60e63f2491553e8e4ad14c1a31af1d12e7c6
SHA512 f8d7442a7313b5620b965b9e5f10991c8f5d6959bfde7e59ca8922b9480ee78f334fbf949ea5d20ca0b1228b58e160cd4054bf0ef74df06a1306461bee83dc6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:35

Reported

2024-06-14 01:38

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe"

Signatures

Renames multiple (5140) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogo.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.exe.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\979482f19cefed12c34e43820e7d24e0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe

"_VBScript Examples.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 89.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_VBScript Examples.lnk.exe

MD5 284f60d5626b0baa8cc4697129edd924
SHA1 35586c351222b12bcc10af3b4193ae4dc8531157
SHA256 252d4f2d1f4f4233055e910bbb0fcfd83526702863eeae91b019bb8ad59a9443
SHA512 70e30df94addb34fcac66060ce043d5808265cba112b81b4ca7f159ff213329d4b5ebdd2839164708377565490c1370b366ac74d4344e2d56ec97f9c1398b5cd

C:\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\desktop.ini.tmp

MD5 5d9e2dd4f1abdf95bb29376903f7f351
SHA1 29bab1f8a4bd2e24ddce961545902b1afa772340
SHA256 1b9caf21be308e702447b515e47c480296b2d741339b8c7638b5decba4d2b6d5
SHA512 7c6fe225423fcf5134c8e04c6af5a0349cc7a2211f4ae90cfa9abbad54500c1a683e73f6c73fcf34673e4dd556e43a8867943ec7a38b96d7447a8f75d856439f

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 b23d960ef92436038ab89bd152ce9d36
SHA1 90dc5260d6230d1bbe9db7d4d2fa8563536eea15
SHA256 6ce18b76c3c5a8591c8eb0a82c7a8ec41ebdb29d8d036ddf7cff5f46bf1b40a7
SHA512 9c599c7f63a1284c1a4e4772d15cd1495a8ed482d37f7e17c794a79c97839c4d9434f4becf3eea4bb0e7e696567797a4782dcc14cf53945b18d540ec93f6fb23

C:\Program Files\7-Zip\7z.exe.tmp

MD5 8612855c41e3df784f9a02459a41d531
SHA1 0219e644c1e387a4c447cc29c2db4c8bc41e077f
SHA256 cd9a21a9d3b740c291cb48153b724a96928e44fbd958ab08c5bd93c4bf40a1da
SHA512 c48f208aedd8348b8cc35ba7970d7ed3a1c49a13c8f000c108391c32a50f9c990ea3ce6fc33b28d812bfa436d6245e1394e7152b9334e10200c45931c4c5015f

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 bd97f2ba6126d16c748b4d2206b6300a
SHA1 6afdd36269d362fcb7408ac526da38005596ba8e
SHA256 c89604486c330e38710e8d27ed74d9cdbc1e3a878f77cb5ee9824134df0e7bb2
SHA512 a5148692d2bec7904eb9cd11b08629ad2f4f9c31220b51c82391e642ee556eaba1e43924bac8d62da487c730762e93118e211b47c48912c4f5adadd4832fe88e

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 2c34262338c25f082ed86ca8a3d22185
SHA1 cc377d214a2a75b35b95c59c9a2aa1ab1c270b8a
SHA256 993520b2d912696fc6a8d7b0142eb1ab80b23ea0f8a58a11accb3c4cabf62796
SHA512 cb2eac8c6c8c0781adcdf333845e3543c630d12f63ddeb15add2986a7f9c94de221c4b9b86a8f4b345f9d41d9332f0e56c299e417082cfeb1ab79c97ce93c8c8

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 94a2421e4a20799cece8c458e21c308d
SHA1 16b87b6ce5b07fa5bfa2d6dcd9a2e2e56c8511dc
SHA256 4fee8d201f11b3caea6fb0c4d8d521162999e14b0c67c3e7e2dfdbccd74650ec
SHA512 a163caa86093b9273a030330fd59666e50f8c4ac76349fe86b04984dea76da96cb370e651ab2657ddba3a0562685d2d0c46313f4be2627330dec9f5bcdbad0cd

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 777743e278abc5a9a6d1b28955465bc9
SHA1 08ca06222eceab003c59ad868889f5859ed8e262
SHA256 e564819dfa131a93fbb35f7429e02ee72de87b1b61ea098bea210106d7abf628
SHA512 fa899e7f5114f64b8f79a7227bec910e5142f044ef089b656ccae84ab0b4ad16244cf6275965a6cbd7e52f4544d04fb6280724c4fec61e4507e537e81e1cb42b

C:\Program Files\7-Zip\descript.ion.tmp

MD5 17d8eef7022e60d861cbe564ca775782
SHA1 de84f784d3fb2398d931ec2604419200e1769602
SHA256 e2c27f3b61c43400b983a504a8ca78383c271a127d6a03e2d038acab69ee38c9
SHA512 0e59283fcf10fdc3791b4dfb6185022ff7cec81eb6df333cc2412ae60e978530fc120dd9c5d4745f131f5007f548dddc58974cb64a1f06bf6fb4904cd9923d63

C:\Program Files\7-Zip\History.txt.tmp

MD5 f70e5fa2e828f8d105b164ebfe5f1b39
SHA1 d329c493ea9f5801bb56171021b49ea4e42f668a
SHA256 53c0151a90eaf0cf21d41b8f863aa2fb00edf63cf6edcda1601e981d8cdde694
SHA512 247698acb409e3e89c27f674b61e693b42c27c0b2a37a2fc3d97108cb77016569f6d805c1749f3f8d425cbba97d7974c84664b8e043a7eae65f0d874510daca1

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 5e5baae1dc38fbedfdd6231b27898d30
SHA1 d51c73f739c1bcb42a702dae28376323bd58e8c6
SHA256 f9a2e3983835cc5b65157dd42bdead206bd39a1387dc495c63bd889b19ae6b8b
SHA512 b1d8f6e27794d31a214a0a1e9e88a652fa917131e5bdf6d4282a4b9b45a158e2e3425cf3201e4e90c4c68c2b591639ae952a2f8f12ab3adf1582168a8947fb41

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 e63945b0ef9f076ca024bba2f155c80d
SHA1 87e8df83b6a4bcaa049de1a6e1ebd3cc89b3253c
SHA256 2980feafc95c69fe6a390068bf3d624a41bd3f7f107f5f540c9da6cf3221869d
SHA512 2a70aae1b2c36baf5ec6135a11f41b628d18f2f6bb6a923a377a062fb82f59b0a12615db1bbf2206b2190f77d266ddfbd95ae64b5ef77e8b8a09fbbe68cf8fb5

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 755408fb6f4058f928c86ecdd5bd00ce
SHA1 f427d6ab8b219cc81a943766144bdd4df4cf594e
SHA256 d5b1aba88fcc4a53915b96fcd13b760e646e577e46332df42cb5bb05c83fc4be
SHA512 643b301b720393bd0cf1b23d2cc57e199280c48ac138ec5f43465b076e6474c9539e552c1401b00fe8dc09e0d12ec6a63cda99999bd7166c2ccc59f8631cfb24

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 f5b3168c701e1379618559f96aef2a98
SHA1 4ab6dccabc05cf523e471c28be4d5a80fa7c894a
SHA256 bf2be2038cca596f47cdaa86d03c8da354569a8be6c5a5ec63e59b5ead2fb508
SHA512 131d1c75a0af47708fe64cd89e4fa6d75aadf415470d0e758810435eeebede36cb4d76fd1a10409df94d67fd4c3543cb57b2db44f0f6b71c4b161ef8104b9f96

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 0c457eb88fe9003fdbba88c42fdd7f52
SHA1 b2ad3346170fd1af6285880b90deea84454643ed
SHA256 6e0e0a876702becdf739af572190e0428b5a75b11e1a381bcb097de2b071fb66
SHA512 6d4466c29f64bf629266f5d97a1b27df143e9df1bc9fba558b946dc89da1092d799489561856b4e801319b384eaf916af6e49f722522eab1cd6829dde64f4d06

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 d778c98733f64a0b09e3548bb0d176bc
SHA1 4caeda04633bc5759c942017a0242b29dbde927b
SHA256 ce1471384625ebcc0bd465d3b785838518a48c4ac8e851df704140cb2b6319ff
SHA512 66aa97e91696af14802bfe8425e3804a3fbfcd16e19df5d6f68dbdd37bc3ab4f1ab8b5a36992631c4117495d8692ff63de23fcbf791a81aeba1e2e646d176e4b

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 cc84030178a2d33e174593a37bac582c
SHA1 a60c2859ade759b4cab5318391078205012d8af5
SHA256 d7fa219350719a2c7a26ac939065f614d4594fc78cf3a3bf8969097f7781ad6f
SHA512 0187015909c779a109e65b99c08e25ef4ebca3644c5309365613c830922d1b395e45b13701b89587879eb8509068a0c074ee7523b8d1f6ec7ef23141ed5eec61

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 58e89f6b73a15d0df23902919f252bea
SHA1 55ded9546543c474609b1c9bea96df3f9141436c
SHA256 942c0befffec63d3df43db190f6fce83412810c9e511ed4d88d34ab15c266ae4
SHA512 a2089e489e6d47b9eae87fe6a92c14cf5cc1c3d85a609298768ac45da18d5ff0b32d0a8142a0e9d2642a2d0e182af16002d098fc4545ccd95a8860200cbaf6d2

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 49632b8f38bf536a44bd034d2d93b4f1
SHA1 4604cd6af517f05fed634a29ef3fad091e162c14
SHA256 e4091c8124ee7153a5aa624a9e851228b5448d733627a6bb757a4ebf5ac23230
SHA512 f4b84dcee35db58171fba636c769af9cee1621a305bb0ad7b078f2c0b9c7a243449f7c05526380e13993633916d6a1c947f0db6d5086a7f5e0d39e045118050f

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 527d055cc9196f5ffeefeec1784cead2
SHA1 c76f7b83deee22a2e7262f049056ccec444690f5
SHA256 44a8c639741fdf1b89c36524c7960126c8b10efbd1f4643ac19897dffde897a8
SHA512 f987b0152f21c0e292d2e81d7aa4955563f6c1862c8d2ae23e9e666e4c30f7c311db3b0cfe0574da1e8812c2ae4c287ca982ece8eb71d2d69b00fdd476bd6956

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 2719f6e6f807941eb71002726bb04160
SHA1 96340064b8b2062152f2be478a554f58c41b48bf
SHA256 8a7b2004d3459943cf10cb2f96b55b8fcf0c52a55297c5818c268d652dc883eb
SHA512 e0fe111efdd71899dd164274324db13b558742839b8a81ba1c82da19f2bba12203fcf20894f209d0e65fe113ed3777f466468a8e0a7d89413d5c89b1c6023b51

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 3e4d679ea14fcb7a3836bf48e33c0894
SHA1 c5060ca81c875b3a81dad8eba53c5d45276d1282
SHA256 f7d4b544d06afc71304cf2a8c52d4298e4acec54329cb5155a67f88fa3e91e87
SHA512 3def302d196622326e072d9435817cc1718b6b6a53858b3c85ad363eee45a95b92287cdf685d970dc6ac5e3897e34cd42d3c122ae0c49c94bbb424bbd043cb8d

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 b6eeab4f79ea595744a6dc88ca963143
SHA1 a6bbf89622d01bd8ffc63c5f5891093c44250376
SHA256 1712dcb725060e6679b455f469d375bca82cb270e183374139afce27239586b2
SHA512 121c5ed69f86b321a211e82ab8e1499b50ef850f2e65b6a6e0af7a5419de27b4925c53a0ed0be0a7ffa446b1344a67f4b4677086a2fce9719ea13309dbdacc78

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 beaf4cd235f0a00a42d0c9d93d8e5cdc
SHA1 20edaad581a13c6e05bb0e3b118c09e2aa0c3fed
SHA256 d7806f71a59bae14de0a1e28f740292bfdcdc31c584bed8c1fb248cb426b535e
SHA512 db97f8f07447f867aeff16c4b138a2e0ab738eae148c3679894f9e77742bbfcfea759fa2928f8f240e79c43df4002e951c32e24c6145303a70e10d086d33636d

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 82f6535f608014feadd988d8fb874224
SHA1 7e0496b5ef2c39d5a6b192c1d25ecebe47b59113
SHA256 db803eb1a66cf3c9d974a00b798afd9459b35797eb22bd97a80b1c331cfdd2f2
SHA512 fc744386e330765ef0cf1f6f4f89349b41577a8f24259261fa31db14ecd952489e32a06040e39132176f1f7942495205720db1b983c7c199e61b0c2e98b275fc

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 789921851868f936a1b33167645a94d1
SHA1 f4a6e86f771976940ed329eb1a885d76a57dcdb0
SHA256 12d1ae58db765725efb04e2ee7fa418738f5e48afee070179c8470a02a18e310
SHA512 ef67e1066f049d228877ffaca74f7daf08708f1b5e5951d9e63fa8011ba596301ea890cfee6b8a1f26801c280087e60c3cb81ae9bb6d094bd46d41ed899ee748

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 7bd0befc7a0ce8fd5fb0cc6c512f36a9
SHA1 2c7287f4dc2c56f6ade99a0a499281b8f4393441
SHA256 21b5e4b7ed564c70bcc59c4aae1ca651664a6c314608c5fdc404b8e484fa5491
SHA512 1b1ba040ca15b6bb31359c579c2e6695e9abe317a466a69d3b091e550343d127214fa5184081c2f2059959b1e528d19d88051c878c828021fa6198a5af9c3281

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 bfc537657d16b23dd38d0b834a57bc63
SHA1 f443008e4f114b44f3891ae9cb797ec9b0ef9e1c
SHA256 a84a658ac22881e4e29c577e7fe6f481f91378ee498695063c02019e48ada559
SHA512 f4ec15c94ff92428cf76a4d2ce1561808babe314431a42bf7ef287b8d14398395164eece0fdac9a685c15a52ff5749a46e6a756b077963cafd1729dc9fe6b01e

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 4ff5ccaeb4d899427822c75f1a51af80
SHA1 660116dbc8ae2ba57834d08ee59f0166692bc0ad
SHA256 e94e9eb316f43554b682f2bdec9b57e2a5cd1f8afa97d9ac7dd9076f9bbc4bf0
SHA512 8a0de532f59f2751167bade9c1e22ca546a268ff0c84484336f5000ce875cd97088f64f39194c216ee1422fde1e5759920917809619d6ce1787841955d555781

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 83e72b73d3ffa771d515c55401dc1953
SHA1 2b44d894d1edd2686e3d1a6069523b1816ad9aaa
SHA256 4dd833569b3b829d4dc86796076e555f5825c6af78b8f37d637b17e463931cdc
SHA512 16c46cd010f56ae1ec92a9b378e03f029fa9e991a72095d6140f03472e76fa074f0b165b8f1acbffc9ce72cf83951b4a14b6c208f4022037603f90c0f40660a5

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 79098b72fd3de031d392c7bc3538b142
SHA1 b64b8eb2b11686b6b57594ac0b3e829a5c79d9f6
SHA256 71a028be80925f8edb6b6925ad78efb1d22a5ed06e726bc93e84e9bbca491134
SHA512 81294646009a8252654f15996ac0decf9e9c0fbd72f8b0abbec0da296a15dc4884f17d67bdf5863eb211de5ed14cb456c428f63fa566a18bc79b79f4ed85a4e3

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 cd4fe62cb88b4fa96ff9084ba169de82
SHA1 630adee8a877863411c60d8ef766caa95aa19611
SHA256 f24e1c544a75c711634c8165b872853c53105722a1bad69cd8965a5aa71e822f
SHA512 658f62b9217eb1189b22df30680bfb1e75666627077c84578242ec1bebc3cd597ac729de23f636b620eae69b08e83b48ec9efbc37a0623e320846b7585d4f385

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 be3c86034c0974f06cb1963dc0f9457b
SHA1 8ba347d9ad377e83cddf802a697d539c03d7e8a9
SHA256 0642dfe3e56df7100d3f15cff91163ba1091b1f56744d939a3484e764dc1c7c2
SHA512 150ea97200e0105875a4c67f388e1e5f3c74b116dfb24acaab24fe7d5a1949c4bfb03086742abf44e2900ab650087a1e460b6fb4a363decf117cc6d74d460329

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 9dab875d5c24099ecf20bfd0f5dce6a0
SHA1 2a3b3b2ba7734bdff4c79656db578d52c66c256f
SHA256 03f321afb66790686aa9d11c2b18f6aabdc3e1f5df5905a90379d8d6a440ad39
SHA512 b07998f2b7765329042e2ec3d6da5762dc021be36cfdc2d9fc987d691c66ff9303c0a19b0a7a352710990ba3ebed1e07d84b6971ca8506b3187c7e0b656e2cc2

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ffab3155cf1d13b5e642e67fe0231e54
SHA1 6938b37b6ee7a124fbc8e10506faa7cf62413921
SHA256 e797d33b4c42eb8d8870d22092f1f302fc09b523adba4d695fe48f0fbefd8a26
SHA512 dc3e7d8793eb13cf9a3181c07da48aaa06d78bf8a133113f76c12af192875f8fa791242eba01188518547aaab7ead8e8522e3a36c8053fa9c33713d00aa57789

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 413fa27d08973b25050c19f149a613ac
SHA1 eeaa8abbcf17cd7c5a42e661f1a65e524792951b
SHA256 0b1af3b3c139803bb76eadb312db32bc0af5cb3647e75baaf987abb12d9e8375
SHA512 8842672677b51d973e7fda7237a6b28df2c85630a52eccd4fd1f460f4f2d854fa2c058c85b57b344f2ce3fb5e91a84fe2360b0006b530c341998676174e500a2

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 4743be6c4fcd3a13ea4a6a3dd57fd89b
SHA1 be83d2c362c7236c794c93f169fc955653b12f4f
SHA256 c7cf8e7124e4f5f5b31112115cd9122d541f3ffb09ee7f67d20ef617fe5c43e1
SHA512 d7385c478fd37adb638b051e2ce2dc923dfc9e347faf0a45aa8353a0af7348afb4653584d3f43de3da408ab535907673224c72a9a733eb3c74bbab6b25540919

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 a45370d2db49c35aaba7d2dbb50be4fb
SHA1 d62cc0e86fa119a1aa56e834b03af00cdda851ff
SHA256 13390ff117b0ea745ce20a79f89ec25f2451d5211bfb12ec2c2c4a2c01152ced
SHA512 a21f91831ad40db4571551014ca736cb2f1162b4f328775bd683de30d77c0a2913640b23965a97ca57896cfb9dccbef8d1d1a32cc37515380cd325d711101240

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 731420c6e0507aa4374e7fd10bdc6328
SHA1 379276d3e4f9f42532a40aa5015ea6d47ac22e0a
SHA256 ce30fc31f3456217e478306e5c1947d4622a172e0bf5327c98ecc164ddabffba
SHA512 254b7ccf6c1404c1401f0e1ca535e460cd1766e6bf6599e76e4bf85dd8b3e9ef3afb9f8e2f0cc280c859e59d2e0e12a536e2eb86495d43102aa9379461e88d8c

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 27beb788c95c7ffb37ff6540573da70e
SHA1 e611491119f5e80d7d28ef5b49a727172096f3b0
SHA256 edbcabbc0b99e7f64f39503b09224110cb3c171804106a4dcc15420ae26ea57b
SHA512 1fc7284fdb584106790cffba9201c849eafd4c7b027a05f7ac8684ff00a72d004f27b35782470bceb69e362048f37701133a9daafa3d82928afa3b187f1e2759

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 2deb5085a0500d4e54f5c4e76aad2a37
SHA1 160e036760666a4185494783bad6df7c72515f12
SHA256 22891d499fdd6a854a9e4c63802a1f53d27c753270d65e5b8801007ba1baf51d
SHA512 ebf2aeccebd263e9cc8a8f0f3e52dbc9dc86470944fbc00ad523c8a76c6cdfad3c53b4056213cc5f14be8bcf7a1e4317cc4f511024d1345544fddd7e3d5427f0

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 f43b412b6e94a67c54417968681ca8c1
SHA1 6724f83ec1bd021a36a187976b3bb66c9dae7e15
SHA256 f55c90473ab979b77cb277535cebc991f0cf1c621e21c0dadbdf52a320fef51f
SHA512 ffd1595e2ac9078ee21c5452b4a6d2d4a8aba31397f6acb4704b8c55c90c3c54638f1df655c9d50bec13b3775e410a0a1b741d1e68badbea15789dba5c0ddf59

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 2eb475104695f6927756af15fc1093a0
SHA1 6f96350c97b315f3ae8bd97f8c24164d7bd6d462
SHA256 bce7e751ac67b8c640d477dbd7e9ecd422946f8ab3794fe79c3bae6bb0a84457
SHA512 0678eee1db0bc838232cf6522b47f8faccf34206e9ad470f32774eee1ce43328d108f7d16c9ab465a467187b3181f4e4c2c8847782b90c02cfc27a7fb2d74e05

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 fd67e5ff29403ab6e71b5313412bd09b
SHA1 9b8e338703ae37e4e3c1b11dd4cf6a56e4639d91
SHA256 8b4a52de07cb2a67207414b9cc6fe53715d815e276f66e5341d2df5ab85eb0a5
SHA512 30415729bafbc67d80b32f0a6daadc467f631521910bd7f9c36bf161ccdbb8a1fd29cbfe0d940dd8b96aa39fefc01c222f725a84b2ca900e21085a47823853e0

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 03e865df091fecf7cc952f73ec48d595
SHA1 3a9e21e2a9f5f3d801a9c8ce93d5981d18707ca2
SHA256 e71686e2a14513592b53478f3ffe64f18a3018cb15a53f1acbc5f63112abf022
SHA512 bcf74e8c8df9403c248e5709a028c5b4ab154d3b7568ae47af47b40ef81b6dded79182317812456ea5440dae4c47cefcc5cf96978503da266d4b886ad9e12297

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 c9ce6c01ae46a7a2c65022c35ebee4a9
SHA1 d2bcf99387e040801aa0557fac4c71aa6ebda1f0
SHA256 ebe09c0490317058aef13a3742ac52118ba8e287bb794ec72a36e50ad0094445
SHA512 5210057cde83d040315adf5ea3bbd4120b18cd47a8806c3776e0eb79c9f1d3cec03be5ab35a4602dcc8edd5a9bcd7fc6832832f79da15621bc3b0e780eabf55c

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 874cdaa704a6c88fc52a32ecb81fb65e
SHA1 ea3058e52679763f533afcb1cdda6ae2f21eef7d
SHA256 811651a2040a0aa4a72c3d977f40654d91427c8fac270586e0ae8229701ed5ea
SHA512 5e61e67c6889826caea1ec4a9e53d91c6b9965b3b669d0836f704a062736027e92c4ec0b3b458b35e018a2a165a2e5330ff4b9cc15974103c0e8f350e16d40c9

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 7cdee0a79b2953bb0ca3833ec4557b58
SHA1 214086baaf2dc3d8222cd24dea8f29ac8b61e2cb
SHA256 8f9b253d837a13a9d87eadfede851a08b42687036a4c806be97785480f3e666a
SHA512 c40c6167ef966a0a0bfddccd1a755e7c9b41c0ec87a90b70ab08c4cfa9f010f773807f3c00401110b33c545ce4cd44a9f0e2938233d8645935da6a2168cb525c

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 3cba29511b09d2f04ad226dbdf9c40ba
SHA1 c886d2f7d779eeee58f634e7751aaa482f1e7460
SHA256 fad55da7a636e3daaf27c6daea51583c89127f70999a8cbb0877994d655ae69e
SHA512 cdeeb94b87e0f133a32f80c58501e8e1c503b04a6e8c537cbf4572021760c133bf1ee9ce2dff18cbfc6312a5f7e23cc5187ff58d2ca3cb384f7cdad1da861eee

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 89b622bf753061105090e5c8269d7ca8
SHA1 e01d56b6df724aa30265d86347c5ab8bc6035b82
SHA256 350e41356e2cb320526918bad9799e2f94cb428c54996de45c55e1400142467b
SHA512 fd3792680d1dc27f7cda180cf8b6c6dc6c1bd86f4ba2a37a18c8b55348a5fe0f149e8d55d239b00116356194ff605df1b1044bb792df180ced0ea3d40622f18b

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 476a685e989b461072fe9e0c71552e25
SHA1 7384ab0b8042fb6e3ccb8277098d88a4324a0531
SHA256 f487c6e28833ef9a37709ee36be8d6e7e6a9e79de24e045e68e720d92a6dceac
SHA512 4f0857ce05133415d55212993777f744ea3d24ceb3efa8b08246a0086393635ee6fb0d90c2111c2783140fafe4d250498e873ca5a09c650619438f317913241e

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 ec66cc8ccad78004e5979c0a98d3bc80
SHA1 16ec3f63c2b2f9eb00ce8e01ff377d540af8f6ab
SHA256 6c889457753e5153e111b6b1fb818440bed59b1f7d2d0eca1ac41bc3c2cf8621
SHA512 4c8e1fa4d4fe5c4891ac28b7343e017eb982852085e7d771bd87b78b7777e8dcbcb86c3beb5cf0b32a5ecb207af85c5f87c8598af4eff0e5718aafff3c94d036

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 0220f0b7d0c1d20a7b3ccab1f3a29e45
SHA1 000caae79b48ac430f987e85c38f283afa79e889
SHA256 b9ac9f096559e72ae7d3fd3f9f376920fb93885686ddea6da32f0b1c156da521
SHA512 0b2b0da907c2d0c5b0ad92337fa655325e504fcf0cce00063f842a9a789e9a61e1020a231f25099353f7f083e884727abfe2f725564d442a742e6aa663869439

C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png.tmp

MD5 d8b982002075a81977cbc5b875c9b32f
SHA1 645d049da0e9b04c913050cdc85c9531b6e95c0d
SHA256 9d02069c21bca44dd43b07bce6df40eacdee757d1ca96520bad70fca418089e6
SHA512 05f8d5a0d21dc9011b9e68063ae83601281d211ffd136e75317a4bdb86a0aff1d2c1f2ddcb652962df902b4731912b82464dec9133e5364118335348403b49bd