Malware Analysis Report

2024-09-23 04:30

Sample ID 240614-e4h7havfkb
Target a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe
SHA256 479f153f9528f7f6865a66969f49c586e30fd6173852a93654f9401ff3580563
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

479f153f9528f7f6865a66969f49c586e30fd6173852a93654f9401ff3580563

Threat Level: Likely malicious

The file a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5617) files with added filename extension

Renames multiple (1659) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:32

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe"

Signatures

Renames multiple (1659) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Intrinsics.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Classic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.VisualBasic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe

"_chocolateyUninstall.ps1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe

MD5 b51c1131c96999184b2cb1b9c2be3911
SHA1 75f9299ac127f925192899b96b6baffe288dc35c
SHA256 1bb83356246e030ce299124c941e0c5e0de1d597003ccffe6fdd5518dd15cc11
SHA512 96f352eea8c6fcac604b7f16f705d47541467416f1a6194ec40114462a54827ed5dad17a52b4ca790d618c8f3c08b2151142f4545ea9c360d6ebd42b85834766

C:\Windows\SysWOW64\Zombie.exe

MD5 31c8aafbfc4ecfe736869213bb61fe6e
SHA1 47e6d67b7d76ed67e2c069ae52bfb5b859dcd941
SHA256 52120cc0a65d259ebd547040eced5956e037e7b660dd42cd43809b68d2070507
SHA512 6ea49660e908315354cc9dc2fe32798254d78da0bfa98595c9d389acf88de2c596667e49b30b9ef6faba41a51ea9cd50f1aaa0c29dc96d029491aeea5a7c1b9e

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

MD5 605d4df7e97c441ace276c1b61454a0c
SHA1 bf285c57fdb9fdcc826959c82fa4bd22959f7e8a
SHA256 8108aa774ec95ad383686d682ccf2b3a39980aff25e22489fe362787185437dc
SHA512 bcfa1b597b7c2e00b8357c423dc661e4e8a80ddfcfac4832e458670b16e7e5228b78c9f57c84f91b4aef3d2e21932513e400da9d01207cdd02bc381fc216c012

C:\DumpStack.log.tmp.tmp

MD5 3bbdd7fc3b846e84ce8c733a1fa72d48
SHA1 54e18a18b03007f07b3524c48a5d698ccbb4f944
SHA256 4248d3fa5e2c47118b96eb777592e39cff9bd4fe394ea22fa9dd8863123c4d1c
SHA512 e590b581ac46a32ad6625dd500a50c7e8adc315996c6fc636c4e9da3576b4d0950e142f5ae2961fc3a58e22b3a9702ee17ce2b7d0a50c1c630011da4c6a78f2f

C:\libsmartscreen.dll.tmp

MD5 b1f0eaeae4ff176509bf0ea6d8969558
SHA1 c3e4ddface81d714dea57a888f2814f92ab87b65
SHA256 090c7df926d35ce7d45bfd8dfa2f945c5764ada02f99070549c798a5acdde7f6
SHA512 7476ea72cf3223b2dab33a2389e8491bef2ad737f9e501544440fa7f95a889535ae0fbd6f6f899806d0fa37c861e574aa3130c005310ab7956bf6c354479f2bf

C:\odt\config.xml.tmp

MD5 36bce1142b550d8482d0751fdf52e46f
SHA1 418acbbeaf8860088e43331403338a74ad11204b
SHA256 cb57d2a72d6e6576bfc2f231f1fd29b26f7dc4a41925f513303038a8e5ba41e1
SHA512 26c505b5ce0e850bda6721c74cc788b720621c7202ce8b838361860153fdd3f072cfa723f0f663863b9921b6d6124168f326c693182712f5ccfa3d9c85313911

C:\odt\office2016setup.exe.tmp

MD5 8949a8fc5586ae4ef04d817785465364
SHA1 f31f1c2dcbf47d03190ccf26e362185b9f6e0019
SHA256 ca8c37dda10d0fe7f7bdc674b0baa2fd22d544b5df761aa9a5be8131cfcfa6b0
SHA512 05a6fd16f6127bd7ef89dfadd3201dbcb6f988b502215acad0aa5353800ba054fc1ef7564d5da7645cf7a3c9e1211a62d1ddd781f0cab79affc9469672e2c5a8

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 678c6383882d7a54bd0fb352fefe02b3
SHA1 e6c51a9d691622929dabd3cb66259f8e1467a995
SHA256 ad231110dbb04528ad1956dd40a3a142996294a24e4fda3e85b5ce62f69c3f9d
SHA512 730e067d17c95a81579a3da42dcdcfd8f21227c671f4ed103368a4a8193c7465382b01573b14e86b01e2cb5c2140a5f3d2c6352dc5dec382ac73515f3bba43c5

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 cee191eec815a0f40c06ca8ab7ec244e
SHA1 252a1722bb2c5c0a234e395b84551b316066f73e
SHA256 b2c3b7008cac4e5c23b5a615ccf1e3681befa654ab7849282a68b2bef9cd03d4
SHA512 48513fd538118d61c311cf1c3e65a09cafc40117e0c5da6da8e368ac99d01d8887ae461541b20517a31987db6793e3501cc0e33af03d7e63337ffa05c191d9eb

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\7z.dll.tmp

MD5 bc6727983caf71e87a27a3f884185645
SHA1 d246091618fa23a2aef69e11b1549901a71982a2
SHA256 1a1fcee0e185e4be36e90db1cc4a9032687355ff027e112ae0c5f4fbbe354d82
SHA512 3b6f7a969d698ddf2b0dd7ed0aa47cf5cc35b768359da4e700422cb8235f1e4f091ed234b46abe473adeaa8bfd99e291edaf12a4d9e89747b001ac04003e6bd1

C:\Program Files\7-Zip\7z.exe.tmp

MD5 b0726502d2c307690c183fc4dff7ffcb
SHA1 64823732de45a8f3da32470f7278efec227dbcb7
SHA256 60fe483c5948d4d084a3b15e2819bff28236199039de7e187e3396443f8a5304
SHA512 91de625403da0118471144efacabb227e9d5954e2ab6ef8e470879340e73a2d4d3a5cf7b3f88324c5fd9b6fa1cff731e9b2055717ec71a4cd8fc4b0c325b0942

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 89b19264564a86055139cdce727c4d3c
SHA1 bd2fbd385c34a416f1249df07b3383c23af03198
SHA256 77bcd08fc0ac26d9339f4a7157f480cdbd6dd93139d38729e6de1ff98b335898
SHA512 42a3bfdedce70140b6062dea8ca3b721802bd28a1bc918a18f265e0d9a6d76303c01084e6fd23f481949afcc268d5000634be4d6fd5063ed7db7dce13dc31713

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 8cfbbdda20074a70bffbaa005fa2e4ad
SHA1 eac7259caa3e63a68442ae312fcfccc9deacb3c6
SHA256 135ec27ddaa63a8889d9793ed700ff290b0e2d9ace87c973870752e7064c1b5e
SHA512 0df69c61f4fc5542862c3f75a8465f038127499ae6b59bae9f3d3ba0b9a461419b88af6c2085b4ac11624951b4c48d929bd52bcdecf41f1090ec208e25ac44a6

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 c20d0d322e7898721987ba2283d52cf2
SHA1 cd283d7c88e501dcc41c9d01433aef4d453cf244
SHA256 7e61b48bdc590e1378b369932f78e675f64bac3ddec7f8ab43ad21fbfaf01579
SHA512 bcd958d32ebf4657ba2941d51f385e74a2e440b730cdd511206e1ef8a36fd19a89d5f264290cdc7d3da97bbed963571bbc59c9eb317d04edbe5073c85ed63b01

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 e895ca318d5de5108d19427dfc938bc9
SHA1 9598fa22af22dbd595e1db0ad63a284078f0c070
SHA256 8ab6b538d32ee947b642c99afe63ca5e8bc1fa0eafc72cef9368add37a4cdfca
SHA512 e25ddd41266942aa40f406b93f7cb33d16d6073424e088af2b7ca1c4f22fd471d3fbbd82bdbfb957a688da32e18d925e61aa2e97309ca8aee093fc2812b953d1

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 4a5bd4e095b14e3fef7e917fa9a8f9fe
SHA1 6e766e9ed5e415b05ca2bda4210928719a8a89d2
SHA256 7e7686c7599ce4b72d4c6324e04f07ef49b50f67c5caaba1bd3ea43c054e6625
SHA512 7d658337959c69124af9cfcee55ca6ee0fd8b32486a8424ffd8b8691541b0da3b8957c76902b39d289d3c3fbc1f63c20c7a23f24f10a8a45bdb7de8f960529b3

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 ecaf36199a94e66d662739983d0f82c8
SHA1 06fa6800f3db494250dc735b4c6ab1a739e627cb
SHA256 2b6f25304407dbf5e06f078532f8e074d1fb8806806e6c4b57aed044dc9dc554
SHA512 96aea8a75a5646597ccbe5f21aa318b46bf55ce98e089bde0a47dd63329fb05d81d5a7c96adb7cf5100da4cebbd732afab2fd2237cd8209c2ae4b70322261db6

C:\Program Files\7-Zip\descript.ion.tmp

MD5 4b48a03c8a9f810992b934d7f47c2283
SHA1 993a997dc04adec678b8cd6d05c48f1d97c64f73
SHA256 e78ab0c894171a944b7825c9dbc1ed95a1628b49d998b903551f4d9624af8089
SHA512 dae911c3a18a8dfb45f1054c62e9090aa6f4a99cc6e0352b9c95f11ea4837ac27e8e28e0ba13b7403f98187732da28f98f7903776f9709db6b3f67473a277a67

C:\Program Files\7-Zip\History.txt.tmp

MD5 e3096a035989aceedd513dbd3836b913
SHA1 bf2da263b1d7bae7c98b7e0f3e553703057f59ae
SHA256 ddf6c60b6914b8906e8040c900d4a37815c8428cbf9525b8cea7c6c4e54b499f
SHA512 1e13852c217347634208909ca243ffa7f138c0a79490d1d36634e8d1e694dc890919460e1130a4ff3f7ffcb123d3cf27c808385c0aeac863befd5b4950217fcc

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 3551fe97d9f938f6db61350996cda6cb
SHA1 77ce8e2a0213b3a18fad478f67bbb6d795dbab01
SHA256 6a4a2462d678a5f2ab19f8786519e45195e20fabf22cf0a2ae84eb805b55c2ab
SHA512 3e3d714929d6ce63fd0ceea607caa9e950c80386fe8e7df7a5a5353c07859b8d4f1bad8935abba072e13c2db4ce44893eeea29c15be48c15a6ec7f9cdb3da868

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 8d6ab4da1107dd891a63fe9c066e1a92
SHA1 82887c27404a787734cfc074d565e61a1fb1a330
SHA256 668a465ab70130c81eb0e00eb7aeadafc116c12e8cb99fff1977a3bb5316ee21
SHA512 0f73577ad5b7eef9246b53c90bf650eece6054ea0f9c3ee51860e44cd786d1b29b69fdeed37d87aa5a0c83bd478649094241ec7e1318e72c31c277cc5e501051

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 1fdcdca34ae8297718c221d62469c8b2
SHA1 927251a68247e7b3f6ee857dd0cbc4d2005759f1
SHA256 ef6119f934d0540ee9041ad8cc9aad61eafe568451f640fa3f18c6bfa72bb582
SHA512 7dbcc1d5cc6052e1d488619d525bd76a36776b3d945c6f0a8433bd3e9a7dc04a370082b61d033460513becd097522ba60af15bd4ef33f6bb7a73254e991100ac

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 9e9224b5b694b7c346f577bc68ef78db
SHA1 95f04a73e0560bb37d1c0c7c8f12136d721fa2f3
SHA256 fe6a7b32a45fd8bbf63c71c8f8e41b8420da6f0fe2693aa078ced7caf6657ead
SHA512 23fa22e048f8c2b524f26dcbf707844cf8adfadcf7c492f836f939c6021ed04c03ca5e19c774503701f0497d69bb2ea4cf0491b730a0b1e9898105791226343f

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 46726f9e3cc4c6422f0bbeb0973e70ca
SHA1 a3893ea65257306bb7a88904032a148fdf43f976
SHA256 5873a12c6ac52d8ae5f536ec79c031c8f096591891e640bdb64059135cce504a
SHA512 ec88ad76d5789f8621fcf921229e9a1e9624f80b145078c470a39e0d09b99b80432ef06ab8633cf098ae0a91731f166a5f242529dae91bc9f453d37ab04e4c70

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 644b0dec0cc8b03ba19a75e5aba349a1
SHA1 021b7a9af3c8a206940809ff33b2e9b79ac4bf47
SHA256 ba4371740949662421d21409b9549e815e6f9cc2ee1888834b4169c198727d15
SHA512 7efb5afdb7b45c4f1982a6bb1beedbe38df0a9dbab13fe3df9b5cf6ea8bab4d5ccdb4e1659476ca32c3e8f338df7442af4ac39848bf497e0a2a47a9e5fa47514

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 aef1ab2f0cd98607085468377234c3e9
SHA1 cac668ed55a00c7236142c39ab53db1621c2c0d2
SHA256 fe0efc18e7b27c4a01c2af05693ee57246dd6b927408c196535205a4367d3441
SHA512 3df0bbafcd4f68ad0201ba32a202c199b1829230c733d0b30374b21e006b243597496af24d240d47592df0c86ba1fa0d2d28fe6205360cdfaeba9a8743ab1502

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 b69930a63a350b6e252421ffc3a58ebe
SHA1 08ce843d261004ecf10d8de8c1aac7a34a22ce90
SHA256 0abdcbf84e19f543828fc8bfd38a7a09ba6469a78d02e1e2a6211a0a661c9146
SHA512 8d31b64a9e2e99ce1abf05f2370a03aee8cbc7eb123f6e67cb8f47b514655600d4e7c99b6a6cc8555677f55b38e55f171b821ce27d973bb8047c4ac6d06e48de

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 4b3ff5374adef2c783d33d7da3c20490
SHA1 64dac41c06cf8fb9290ac6a648e4854fcf3bf2d1
SHA256 e8e1aeeaa17a891b99652f2ef65911aff3feee2a38972b318d3c82be9cd359f6
SHA512 4be85e52cf5612c2905a7b7a53ecd7f6acee3bc0fe997f37ce8406430a5e9b8c643327634099785c6a407b16e24e00d8d8e9ec7f6863d4664904f16a955c1cc0

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 4195034e42faef301c00c64490be0331
SHA1 c013f8fe3e972ad1cdbb025dc4aad6c24be69fbd
SHA256 ec67c670fa8ced6ea01ca7b316a738fc501ed3331e0010ea32cdf022b0805c68
SHA512 1d813a8dd565714cbbf8cedeab55b03b79a17159b3100eec6b9e4ec103674fdba96ebaa05130c5e154d183519dbccaf6b27a59931add80113e71b0db72a6a450

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 d301aa347c603c9899d52dc88900ba9d
SHA1 3a2b23067d3aabded443f0089aacc0cd9eef78de
SHA256 cd6cf0157fb825d9e74f845685bfb70ded795389829d31e32d3635b1f930342e
SHA512 0ad508c50c21c68316628c9388380e1c48aaca0b4aeb372fc6035cc3e544ad20236a11e87ecca59185167327f2e2e949106f86067c97b24a392bf89a96dc82a7

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 4cc75e9da60a08e4070a154142893c3c
SHA1 68149812285f147deb39ca67b48d871eee3a64f9
SHA256 4d42a2689563b65a6648da0e834c649696c418e088ab1b073424ac4c2a3bbb1a
SHA512 215eaa5a7fe64d12ead28ab62d09f0662ad08c01f868a2875eba9b4db553a6eddd2e9c04da52c08b5f7a2c97a28cc27801b5eb6b0339cb0bb21a6dd164f0c66e

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 15100044f5cf5857c3b6384aba574fe1
SHA1 2fb42894fe792ef615741eb8f22ae661adde3787
SHA256 ff81d28b2d098e4e5752f3f7ee66efab5b397f799f115b7630092d9f126b4d8e
SHA512 d47a05ab97439b6ac07babbac29ed09e4ccd13a1a597b5d2ddbf668a2f3d43563bd655443ba15d25cd36572ed116b7bd0daa44e71de3b597bee7dc8cf3d4a4d1

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 a87e3d94762b6002eda0824632194b2a
SHA1 67fdbf37c30f74227dfa7b1a97a71249499c02c3
SHA256 e3eba84af319f6912ad2c72665fba4c6018be5db31623402b8366a26d3b49f1c
SHA512 327c92be8b63ad6f14191fc1ac53ba1819027ff2c05f62b3f0ade1d1ee202bb075960aa6000d0e6526a818bf565e6936afea0e544d63cf7ce2d041ef884e0c06

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 a8892905925c7c5047d41fef89dabd0b
SHA1 0c85bfd65ce793411cb4a3938d1774b605cfe900
SHA256 ba68c9a716c27ea9657e93318c0c7e8ec33f8b6cdebcb6f3ebc7b41a68b27537
SHA512 3651c8ca767a0adf2089412465fec6192d249453cd6bfb84d40acf4aafd148e4ae9aa6b0dc43d51392fbd9266524b78861f4a93b60f4ddff349cbef35f0e8c29

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 d1c871df313d8955e6895aa826966b64
SHA1 47d11468b9ba5941f8b7387524b5b0486cdef971
SHA256 cef7bfd8f516e49cc2d4fd96b5bc44f68e3fbdc889cc841c4a2b962ed3755aeb
SHA512 3c315391e6b0850b7f16f2112d525028a796059e32534ecf58f7f611ee188e3037e06f434b180a99fde26b5124ee7b7016fa38a0851dc3f14d3ce0f8dc0a0a6a

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 84e0e9d0f5de78a9d8f3336ace5a9dd1
SHA1 4b3a414466ef95cd1e90c27b7ade74a470a6a70d
SHA256 6d9786fa703ca221b09b60bf508a7c55e1dc87e0c3763a45e3e30fb78c489348
SHA512 e2e76d0f73f2901fff51910c66ab4890d944745902602ae584780948b0919edd0ba7f7744ae3bc60344c36bfcb14f6a284fbbd2a8b36c2ae648462bf190418b4

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 abfd7f651c12ac8d762a18a486a0dc78
SHA1 8e73b0a37b3c31d40ceb680ff2cb5a28ce91ff47
SHA256 273e9ffb22afd39376a52e8f5dbd661f5195b312ac655387096240ce14a4d32a
SHA512 fda67addfad614286409dbc175cf39989cea3260b9ee3ab6c5830ea4a074c24b80c4bf1f8ea72760bc6e32cce97c5e7f7f1c1f66f9f9a11903c704ad20229ee6

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 897076d7d51b7b840415b4e3a0dd5206
SHA1 483362df9e8c48169272bcbfde33e5cfd3ae1874
SHA256 7b4e45b6447467fe1d4f11d422cfce51f108b7a7eac508bfe6f914b5f19114c7
SHA512 346dadd2d0d27894f6fc2476bceaacede0996294ec56b2864674357941a149173f31e42fc2b02eef39f3fba3e2e7a3567036e137ab3d34cb99b8c615a90c62f3

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 7dfb8e3a885dd50888862a1ae5c2a75d
SHA1 d2d81dc78f0dbe48f4e510cc6c61c2617a93dd60
SHA256 e11edeec0497530b635f45ec93df441ec903e7fbc84fc136699361082d2d8961
SHA512 0d49c5bdf809b6b84c49982b5ea4d854e60d136b7ab08d0ff187e451650456c2ef86386c9e4030e8997f56ef7364266024c4318b60498fcefcf6235ff60e4c9e

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 f835fb035fad19f7b4edee609c2b635a
SHA1 650dc0b9c6347d370f71d5bfcc5ffdead2e57fe9
SHA256 3ddca4645ca3d7dc2855327c85535aa61716a1331e54cd433747518d21cedf36
SHA512 bfb8719419c227d5961184373344c2a839488e1ce9200915ca936e8e330caf2fbec63f642d9da941ed6b489c013518bf4ed3ea60529925cef90285408d016767

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6abeb0178de62aa3136ce247ac201a58
SHA1 9e104beec569b5072dd51be0289d9dcd2f474a84
SHA256 eba5598818302e9c775cb85ed170fd65fb30cd6ffe060fd4eb3553693d9fde79
SHA512 9f410602ce67b5c9af85283bb4a7f8518d1adf4fbd6f70ea9044556a953a115b7af2e00cf649147d7d6affb21efa509bbad26ba7be631873a7f7855665ff5cd9

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 19f0ae40b6c518e7c2661746524e6151
SHA1 2792c7b0331d425f931f4f42cf75e58abf249142
SHA256 f5d7e645bf7a4eda8c55297785ab7a6a533e4a2bcfedc7bb9defa2caf8f8d0b3
SHA512 187cf2c2f63a3079db31a255008a55613de4ee3b5902d3355dbce786575cb451d4d9f8441ad5b5bab0542b373ded660b05b2a8fcb9a39776f664f1d69554700b

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 ef5cf12547507b076b58154cd0c4d8c7
SHA1 70ea974b922d249c8296e9fc8dd079141772cdd6
SHA256 515df4cd352c03f73ad0fa8ee98193fc9d8b45c81bf1e56c213f7eb9280273dc
SHA512 b57d762c4a8e12b859e5eb21e808c81247b8e7dffc8926b2ca61bc358199184de4a92a8924a1a045efb1a3048a017c1d29efd672d30ff818296ca91994347f59

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 390cefb48ad1bd080ff3433d75c8799f
SHA1 a64d23cfac0544604d82e1db9eb19c19347396c6
SHA256 5979d4418542bbe0d6b95c4731cb0d586ada013ad61312cf35eb72d9410e528f
SHA512 1d80a935583c6f5ed98fe1fbad9baf52e2ae837dedddf9b1bd67cde7a0bd327dfa4d1cee7236c0db62bf1ace6b7e39bff63b3eebe17697b9b982f16fc68e4f63

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 f5b568f917179312299867ac148c20bd
SHA1 2bad12688a6c3a04d84fabcf0001589bb86b1601
SHA256 ed281b8a4bf28c9cb3a137cab17d7170c03ec9e04854efd4e56a4543706cec53
SHA512 cf4ee949fc8c1b7695f0c2d8742a0a7744728adfca2e2f16a981e39fcf45d8cc09ad75b0cc410511c51fee179d7b39ac5b53da2cc5a12a817666a7ad9d35e254

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 6f58aea91f71e679c0876bc8300839c4
SHA1 a9ea302e1dc6c5d465833c635ecc9ec231aa7d8f
SHA256 a1f5359984a39482201a82219a9f65eca0300274c94aff8c4956a11a0dd3aca1
SHA512 06a5ee61022aa24f24912231d71274f25d843d78a4eb4b8456f04e94dc29e1e8b4fc81b9b470b3dc7b977c5f5c2180fc6ea930118fcc10acc99e4045e2697240

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 24a900238b6979beede785317503c77e
SHA1 06fc45043a65708ce22839570bb4c7785fee8f82
SHA256 fb0da2ee0df97eccec8f8706dbf18820e79254dbaa75b4cc89a0609c88a6e613
SHA512 3ddbdc42bf45b76f0e06a3d438c8368d3e717b1a70ff93cbc228c4257728bff3cf803f234d0c66ddddae00786acd0707c9d4e6c3fc16f2cb7d806643b53bb994

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 6ecf76d68a7f95f67b22ea98b7b8a855
SHA1 bfe54567c588c3eb7ea43e74603f0bccd4d3967f
SHA256 53dc0f35f702ce5f7337ce7cfddc44d8589b11998a85c40d97cc7d071e141e79
SHA512 6386f76b873b2c32458dd1e95d45e0beba2fce272e2d0c776c09dd46f089f7ad38ffdd7dd69f9b644a7fdd50e84e9d754cc1f32f4761cfa87f68de880e62c982

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 c130d40e1029349986800bb8ceaa1262
SHA1 4b22b609151df9611c0e6536dd6947b0514dba7a
SHA256 cf5196f513d54efef76cc99e450a14c7bc024f66450b0b73cb1710b5015e7e10
SHA512 af57fda43155f0ee44931f11de8cdb3f20b13d797ed361fbd9b2b94070531c202f43e0a0ea28f29571e8515b4654aeb5d82dc202f71b880362473b51bda6621d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 f9e2e1ed56ef1692e3f847463dc0578d
SHA1 b0eecf5c89aeeb96c8e631c29c0655b6eac41ec1
SHA256 9e3f266cb7497730055f301fff1ede8dc919a885ef0c0453170e5f7d2240f419
SHA512 d0d50728098715b104283bb0059ef39bbe635a6b7efae910ad757e059d27deecb1b1c60cb022ddf6c9f45d49cd93bdd899ad4666357d177080091b59308b72cd

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 4404fdaaadcfac55650b3577706c8878
SHA1 7cbda7d104ddff9d3ceb956a83b0a4050635e3ac
SHA256 dea6352e5968aabcfc879932ae856c116e098e8d446b7b15c0e4a64389206d34
SHA512 53add96c2504b46b62b2832158263bc62349748083ddacc863c81c56663f34f12c513fef448fe348153e1fd0bc3aa21f5a74a255a3c6b7b48527de7737118fa4

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 7f4b545a9da6fd458a8457bd424b0f9e
SHA1 a2a6677982b86f64eefd06e36d4c151d26ccdf6d
SHA256 0f997c8b1fbf2c2574b3a34f73a3369d94a4617cb8dbc0496f9e1f1619c4dff6
SHA512 7db2af10315f2df8e689d333997c5180809286a389056f923efc07a6e8c80c33d915ac3fd09a4bf16543534596db29012761ebbb19600624e1c7478b28e0f918

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 969ecbaba692b597a43f6067958ab93c
SHA1 23720d885cbd54ed9a81b17530d993457d3ac2cc
SHA256 3714f691c81a771983efcd000e3e4a5c3d2df8d45a25d28f389e543669a6a316
SHA512 bbb4f50e6443418d6d79eb7ca2c37f4c41c63c046e4d90b6bd53661c8af7385c263ddbcddd7827741db2e3a03b0ba7f8487f2facd256bd53fb4a5c4715b026ff

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 05ae6a56a8c59bc4156d9ce141fc1d54
SHA1 c0e135e3f51b6c7a5919d3cd5d1974f4d207de5e
SHA256 bd15990c71bb990aed47494812905dbf7a2682e0e3015a64ebc4f5acce4ec18d
SHA512 0009818e463bbc9df482f09bc044e7559b3de8aec359f6c7372a2cbcb7fd304d55a65bf7f48671e7c29b66427ce276ad245ce0be66be8c8ef88594b4ca8b2102

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 b358b969bc1b74ae9fdfca409af38505
SHA1 fab9bfe809cfc767eb2f7c5ec51baa5d35d12f11
SHA256 aeb62f592a2bc27214996930ccc425207e776d2c1dc7b269b2dc9833edf97da6
SHA512 bb4efc999f62cb4b8d3802c307b5c14f1d5cc1d6fca6ef2a2864c3379f6f9d65cf38fe6d0b86724d3bddbc191cec3c4dd424e9a0578fa3efa9c458f3bedd46d2

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:29

Reported

2024-06-14 04:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe"

Signatures

Renames multiple (5617) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EET.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Oral.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\en-US\Sidebar.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a242ad919b177f417dfcbea4cab14380_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe

"_chocolateyUninstall.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_chocolateyUninstall.ps1.exe

MD5 b51c1131c96999184b2cb1b9c2be3911
SHA1 75f9299ac127f925192899b96b6baffe288dc35c
SHA256 1bb83356246e030ce299124c941e0c5e0de1d597003ccffe6fdd5518dd15cc11
SHA512 96f352eea8c6fcac604b7f16f705d47541467416f1a6194ec40114462a54827ed5dad17a52b4ca790d618c8f3c08b2151142f4545ea9c360d6ebd42b85834766

C:\Windows\SysWOW64\Zombie.exe

MD5 31c8aafbfc4ecfe736869213bb61fe6e
SHA1 47e6d67b7d76ed67e2c069ae52bfb5b859dcd941
SHA256 52120cc0a65d259ebd547040eced5956e037e7b660dd42cd43809b68d2070507
SHA512 6ea49660e908315354cc9dc2fe32798254d78da0bfa98595c9d389acf88de2c596667e49b30b9ef6faba41a51ea9cd50f1aaa0c29dc96d029491aeea5a7c1b9e

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp

MD5 89d163c52b5e358c52f2115c788764b3
SHA1 91af332b714ed0af0c14ca5cb7b1888a0243f82e
SHA256 283fbfea4cb55d13da3e8605fd7c24f0c2f1336afda8fc4c34c68313f7816969
SHA512 7c3d4d5dab9835de6faf5dd8c5705af77d634278c9cbf3d4d2bc066f348d375bd2e48f75c4519365b864c40f5707c9ec915037787bdef9c5dfe32d6397fa3d6f

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe.tmp

MD5 71363f8f20d32e1cb1cb6dc4e593445b
SHA1 08814c813178605c6fff492aca406b8a5b18c92d
SHA256 5a0c15852a9c01aecd21c42aea72caace6f3ab33dff409295015eddc74ff2bf5
SHA512 80967f3b7f81b798941b81ab70d03a9db8ad174dd1b4fc31ab0f3a03c7100d0b7b86fc0a03a0a0de681b4fde2290617dfbecda46c39ce8acbdbd94f338594d62

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 1a5f77ac052ba659a2a7660d917efc74
SHA1 4c844df7e1c34fb57a8b2226234881922318a9e6
SHA256 9f2723413b411ed294e1414c0eac5a79937f4f6caf7d853f1602619029a8a152
SHA512 7b2081682e89a573aceff01782b075ce45ec9c329f4d32599137b6fb8f61eaa53ea50bfb02fb7644ed7ff6d0fee774794b59cb71b6a4602093e765a57c8499b3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 60d5b84e25303925ff12e24d70434c45
SHA1 ab5a145c851874806bf5355183c6037073c8cfb7
SHA256 eddd32ba956caf4ec7fed20f47b52bff5b7ecffaa8191bcc612761bcd7da5b2c
SHA512 a56a97bc0a217e82178f6e024c4277efccf4eb3c3da92059fbc1806cf8816eb589c3cc99658671945c928e6ff95488f4e89ad789048a11edf38d36a43a4e8431

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 3c466a0ab4ab9e33db91895a7b38f7f8
SHA1 be8a930648b5da912637836c49f66f8603bd1fca
SHA256 a474d1fda375d8af9b878a755e60b6841a045343e404192f2f414aacc1a053cd
SHA512 15bd318739c237095a4fa08b634441d0e8777027d7dafbc57064e3ad3d714d48dbcaf46b28f9d7306e7ce2afafe8c21a68ba7269c8016ea4f4a93bf64322c80b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 04c1ee8484613e40620d7d239016296e
SHA1 0318185f0c2d70867b174fb105a6a304fa094795
SHA256 abba232600568f80a83ebfc990b2716109d770eff0ef89ed7f777aa5a7846a04
SHA512 74ac4239fb06105d8102a52b74e970dccabe611eb818f6f72ed068767779e26e9171664bb9a6834c5e287ebbad6de21038f7834670edf1e7f8b5f7cc794f695f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7ab83908d2bae8ead3bbaaf50caa116e
SHA1 b59fb61e9b7dda7e9a7fb31a5a330a12d76bc870
SHA256 ce1687d5cca01bd81320018ac60bcf02c15f148a40ca1bad61e97dce45b2ccd3
SHA512 acfdd97598c51589ba999500bd7627d693ec7f2214a8e23547cc252cc5b3a44f6470ae54315964f4788e48aff12d2d9505b87cc6456949b0083d635855785d33

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 f50676253f81add9754e0b88fc075a9d
SHA1 82f2161363a18895974ec6d9665c636f73eb1371
SHA256 310ed95b10bfa206ca34a01b78b63783f65d43fdf3b2e7d59473f1ddf9c7e9bd
SHA512 e701cf96224a450e3981b6b9bd2cc992dc1a37146fbc8c5182a5e74fa4ea0b2d7c0d815aafdb2aee0162f5db19d1e17a7b6893f1bb008d4aaef75b70a43a27f9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 293ac948a8b3aaabc25f3335ffe0c572
SHA1 0b0663ee2455aa6134a3b2d8e64c9c8ac03818a7
SHA256 e8fce521387870685703805ee4fc5b7c7a4c8f1496ebf33a2777610a0577d488
SHA512 2b9d57446c38e29fd949f9ba8a84474bdcea4dfc59acc8864ffe14d1be74322003b6cc62c737aae2a9db1499f7d213206e46b87261e54d86c34265073c661027

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 29c0cba660344f2ef55e0af63dd75536
SHA1 348b8d82c2f765d3fa78a98e79e6807ae981a3d7
SHA256 f327da2015c2824a2386aba125d31cca4ef1eef29412a39bc0879147804a793c
SHA512 94f8d913489a2eb8696c6244b490cdd772bfe55aa389fb3ce391eadb7504cf64d55cb78df5fe006728ca1b03c4bbf5770c683f510853001e576c441ab5200b99

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 58cf1a35fbf4f0220b6b9bb402526dd1
SHA1 76b7437affd6e2af44d27ac52490fb4b04a1ed18
SHA256 b1731f3b450015b96dfa13e3e5be0091e5319c2c5dd0544bdccb6bc3178fca88
SHA512 f6bfae2cf36ad0ba2f56dfbcb521b4e6b41a1af2caa49eb983d7aa19ada4c06d31010f3fb7e4e55c97b8f7c3fc2294af51c135dc19759428ab5dd39b11e226a3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 28b65c8abbe0deb296481be127677928
SHA1 6161e3b125a0cb5914274c7b78064428212a44fa
SHA256 e8a4ef1029fb40266ffb5c47512fe464b52f091ebf5db8f7adc32d3fef1487eb
SHA512 2a37d02d714b84c4fc7502ed1fd75713d216084d73e28210b0ae820fe927717483ec4b054f2e00bb5daaf7a3bf37d91dac134f6a83fe81f30706f1437d055d90

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 966201db02596b1cb897ba268a151df2
SHA1 d6ffc2fabc152e8e5e48d9169c30746d51876023
SHA256 3da4e1f12d6a43c0386fade47e871277822ffc03ceb99ae41b20682bf1d1dab0
SHA512 8a3ecf29d5ff3c223b444c0ff3f67017433588452c463f670d99a549a631beb0dcdd3052cc989bd2a3eae9582899dd5d8c77c81943d067c288ae5ab6018af408

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 4e4048389b2fa18cfc2a90e6f2adc1fb
SHA1 68289c6a5855a70bf553c3c65c15a87b9a92c092
SHA256 c9f57a043ab3609cb6a403573b975cf5b4cad22d05683fce4b47586f2810bade
SHA512 4d40f34c39476826bed3c2a2c075e110f8c83421b4f443c1344af0725dbf87e4cd1dd6167212bf2119d386509ed251dd5764ad85b758360c91f03391bc98330c

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 365a38611e55af60dd4faf2c96927545
SHA1 2a5cf0b8059c0984abecfe2079175399e21e6fe3
SHA256 b25f33361c5f360b802ce8fa17d99dbe8be7c31d2b0ec9ed020afe5461bbf33b
SHA512 046eefd9c4a87497aa34426a66ccc20baa277cef65108c611d02b05005a45fcc96f35c81d787a710c60aa71d93e0710946a9e466e7a6b45e67173df1efb35217

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 6e812ce6bca23bb73ef79b732852a9c4
SHA1 c6d1648b7036e52325d7dc22f042255cb8758169
SHA256 17fd7214063cca63636d4ade8c3f1d2a41e90afefdbec661ba437ecd92cd5c8d
SHA512 aec5ac5bac9026ab893ed45d23c0f6d70de57383ccee181ee7987725ae82abe7cc83d71f36dfefeb1cdca472a04d37b7f31903be6a3b22e5c657bc97b1ffc8dd

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 7a6c0e1521e96383bd877f366c8062d2
SHA1 c2a0cd8e45f3f1df0e5bd16d3f46f6778c5793e4
SHA256 bc290c8914bec5e4ab5230fbf29ed2584ba4a9d17c2be65155a824785a26d273
SHA512 03308323802e5014f29b7d1c03b37b76ed625cde1825098715483da837a1c90d338d81b26ec46e531968e218cd7ca74ce1a64b2227dac7f4635f24e7fd107931

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 abf9878bdfe52d358551d05d580276ad
SHA1 ffc3008015ba8b9530e326b6f42fea6e4dac6e8c
SHA256 90acf07ff9f9a83f8714dc8cacb003857952ab4f47596bad455f67b51f1bcc48
SHA512 0383224b8e917b2e0feba5a008bc9552d7109603345e71b5b50787ec10c1db233412e98b957d3ea5f513c197a5c7da564712c4cee62650ad22b410316beb99f2

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 5e35e518d0183ac3f5fbc377bb875beb
SHA1 991a28192d9913a52eb6183f317d592b460546a1
SHA256 0935e46b9b0d048a6c926204b36b67fdc4542506762edd1b9e757bc50236bacb
SHA512 aa42c8e478ba1b1d035db93d9d93a5c538e968ee793a1542933cb436d406a8a119bc69df8a22f85f89d8c1c413142522fd83a5e1c1fc20bbe4ca4229a9d9f0ce

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 729638a963a27ab21f7b9243f4bba292
SHA1 af5d49e1931140538ac07e3b47087b7618ea3553
SHA256 3afa9a66690f6c46ea0c5fe5e97009fef4316d1aa9dbd0dc43688dfa332bd13e
SHA512 e03565ffde5cd9d4cf004852a30da20915288b94083bdff7024c944ef763ac58dc383981ae9c5330e2e5e89c936107f79653aa999c7abb075e9c4334313e6402

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 7096009c0186be3d18a29b096aefb68e
SHA1 3633a03a5de9dccf12ddf2f7be573866016e8cc3
SHA256 a67a3af1ea256f5886df30b05580ffe3c36d156c9ac32ee6a5566e638810ed23
SHA512 fe155b36bf2079eb412703769494133672c4c9f55211e53ee500c4c2bb968f65c5436ff01a7cffa9194155400d4e3a2eb6769af96d1c2d7db71fa216e5615d01

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 8ce932fa9eda96a4a640abe80fb86ce0
SHA1 14e7e395f8cf24d88fe2053ffa6833c9a28cf3c6
SHA256 b7f0239c491834f8c82b39d22e7740268a4c0453625e65b01d595aef0ded9ad8
SHA512 bad3f2d025f44bc9887a0a8a17ebeb46656feb40c76de67ae1ea991b274d6d42c4cdd8ce54cc3fd4d8fd05d8d18340eb68c96d8dbc1da987fd81ab3ecade68f1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 fec0542f9e564645e48f4e97a755ec22
SHA1 07e42e86003f75fd44fd8e7fd22d2cc26d53a23c
SHA256 7baea7d9d136a47ec436db8cd480a78b254cddd82cf505afe8308cc42f54a11f
SHA512 5db6560f97b10990d15b6e1f3e5ba687f3d135488044b2d69510c0fc3edabcb3045ae0188e798cd72563665f2d967ea401cb96889a77ce224e838e2fd1397f70

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 3eb1c252fcd7f15ff5f50e20d3a42285
SHA1 b2ec6a5ae4cd06db265e2e07292e6b72987a160f
SHA256 44aa48c858e238efb01e945618b2780c7e8f41805dedff099a2f1f5a05834c7f
SHA512 d32d0eed64544a1c51fafb8bc967fe47fc3422ff3078f6af4f65b577ae1c8b2c19fb121a65eff5d2fd273d8c621fa3f6a4e5bf2e5f2091e7dd58c892401d9b95

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 7110258c634e1c6fe7527cf01ba18370
SHA1 363f2bcfb3c4aeff8496f642d7ed3c76e0ed61fd
SHA256 abec95595312bbc95f5b1ae4862c95a24fee36c16d7460e0e9230a1b457d380f
SHA512 5f4272ee2e103042eb4fe1546f63dd129288108e5e19080fc7cfb591f45167e9340c3f2b05fad95c11a6f3a539e7574ada95a6c0d07a73254e21afb689233063

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 88fc86f2fed5d739a1ea638bd26cc6a6
SHA1 34a3be149082091b2e69f7c808292c3a7eefae7a
SHA256 96ae807edce110821f0e9f16b10c2fb2602111c3265ea31e2035eda4c3233fb1
SHA512 406648e0372709ad35cdf87b13a429547d5c46a904adcbbb4103c1c3b7fd64c1a71d09eefdbec539b18cc43e42e4c1c1c4ab484c5bc4a3fb2cd669c3a1ef6353

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 aa4933cc21f66b0c2aa291fe33422cc5
SHA1 f0c4bddb59d576ef9f8dec5d5e86233da220e90c
SHA256 26e8042608c430826826a72e33064d9d85bcaf3a3827691fbfd8da382241e5a7
SHA512 a21a3f763fc7ffed70bbb4232ba493169794749b07c9427bb2f706e5882aeb46eb13076ed79ce8c9f663795438807c3bc81b82b3d3019b382d214b5fafb8b46b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 c778a84eea5b88b7a71f9a2186b5b694
SHA1 317bceceb156e935cd292a8db5d76122fd793ac4
SHA256 bab05ccc094d4591acadba73a83e612ba95bf983600071aadf97c86238249609
SHA512 0a9845c63eec59046768f91942c7b96c92031c273a03d93f20773308d5c2b42eab8857e06f9ce7eb8c5eb319f0ca327679d223452784a33becae4c025a7d84b8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 ba708da2461c108f6adac616af57d63f
SHA1 68e9617d81446d5fb56080249c3527cca532c47c
SHA256 d59865550390f30bd8377efd2d65033cd8e622a31d80067c21dddbdf26c9bed1
SHA512 db8c65026f448e874d34c2434ffe2f752f2c6de898f9f37e14aeba9e5228926f10d3a0855d7d2990c676c7ec4c3ca5f7633f1559cf651137d0b91d1b46951214

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 56afc62c78fb1838140183975fbbfa52
SHA1 99f767f2f3144947f24bc99a86b9a756e757692c
SHA256 9b23da664497995933dd259944b68c837baae8eb6f88040fe33c242bd90b3957
SHA512 bd2fd6b9d2984f09c5bc45eee9c0534fb71275879980537a3273bce8dc55bc5c927ff144e591ea49d2cf9e06d9c47b47ddc97787e37426867fefbbbe77e1faef

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 8b4e452f0bbe2982207d7bf46f53e054
SHA1 cb47ae81959b629c43dbaaf0cdf78bcec2683366
SHA256 860b84c7552220f78405bc47a65a6a56e2f68cce95f4fa03ee4f60587b196f1a
SHA512 dfac5d3621b6bc1c5530339e0cc61247b30d5cc5f294267273da4e73e234b2a34995f83d98c3ba4818b5966573873a6421d7eb229b93bd5ecd17850f1387fd80

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 bc1d135863f3d39e0bf76ccbdaf9fde4
SHA1 243815fcc2c3026a55e050bf5df840db00febc40
SHA256 016cf47bca7c454e20ec22ee2e500bc45a4acac00002ea0afbc5899cc51720f2
SHA512 794a9cc8d9c131c20302b951b8839ce3597124e991d90713767f307124b114b58fcdf128b0a81f03e2fcce08d3713f3808558b3ffd71a713563af2af15276483

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 06e8928d698ebcc8e21066b788691d05
SHA1 7d143b2de64dc816c45c2a19dc8e6ed4e083bbd0
SHA256 93118daaa00480d2ad47268cf8536dd43266f58e925f6a68551c2dcc439f43f7
SHA512 69702fe3a5b1eb200467f56abd463e7e55d477fd9b059b5f84c7d316be80a17d2eb56aab1f6661b83de4a0cf3069da51dbecda7220ab93295236ca4fc5a62d62

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 0295a5333557d6a2289babf7eb44582c
SHA1 2508667563f6ae610389e6cc6d02bf3e6cbcd5d0
SHA256 83bc1ba6d4b804c4ce33b723a1075ef674690fb10cc5e9dfa7d04ce66bce988f
SHA512 5fbd8b130a34f02bb692345c0fe64a101921489ca043bc4b57100a55e9102ef484b569669dd93f3ced4d159c64bec81541bbb743e916829cd4afe3fe45de4152

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 95584a7e6fb6e13e211565c90072665f
SHA1 aa0d667e34146fb9a0ca35affc5a5bd286aa6eb6
SHA256 bbdd5ec97c6a29742521f86a4629be477d993d1b7e8d835deb18c969f5c5a3b7
SHA512 64eb81bfd42af44073e460aeec84ba5a276dd21d266555bd960d80262f1d67190790f6acca837add43b44074923cb5cae7bad1a0923a8eba8bdd8ab3cf436003

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 8d6ab4da1107dd891a63fe9c066e1a92
SHA1 82887c27404a787734cfc074d565e61a1fb1a330
SHA256 668a465ab70130c81eb0e00eb7aeadafc116c12e8cb99fff1977a3bb5316ee21
SHA512 0f73577ad5b7eef9246b53c90bf650eece6054ea0f9c3ee51860e44cd786d1b29b69fdeed37d87aa5a0c83bd478649094241ec7e1318e72c31c277cc5e501051

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 fc4f9de0c275b63c00585f91af2454ba
SHA1 dadaadde67175f91110115509073a3e4328d4e6a
SHA256 ed9dcdc3cb7ccae2dc9a4311dc27a82eaf00b43c264049d9c97c48fb3a0a2c05
SHA512 d31da6b2e8d14efec1a39993828767a0afd96089d2172a3025cb326fa94cee2042fdf34d1beb1f0d0b96b4a9974d173e082d638045bbaa27651cd9aa62ce254f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 d56c9842fa55cf7f3dde9c0b1f7a9488
SHA1 43ac4f3118d5e59defd32717d7e0049a7f8649d3
SHA256 20debc8a8f3e227781128dc031a2af5b1ce9314adc84a521a784163e49dbfa1e
SHA512 a7564d35290a07ecda0162012a508ced85fad23b8ca2a67f37d2f2e6f4a5422ef04995ad10a5fd5f250fd7e46b339a35058e770746e154c8241de6ffcbf328ed

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 5a4cda9d0ae8608a53eeff56be6c6674
SHA1 0265c6aab9882df49fa894e6edbeb8c745a2158e
SHA256 667bbe1c97fcff8cf6edaab19d6df0ccbf2ce7f932d5983536a1e946304d4dc8
SHA512 abf364c66afe5913190954f67d0b5732a715c94947323a910f85382990c96e3871fdaabc8d7f7b9f6df3cfd903d43fc88b821c9d47e1ed336b72d1b5c8368396

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 a2e1704274f7b5346540a44a2dcb081d
SHA1 29b93a45a22efaffacaada7b5f668841ca56fdb1
SHA256 7cf2e9f604d7951013caf8c9a8a36ffc81a0fef9eb7dbc79c8cfcfd496f8f207
SHA512 250fa74aede3d103c17f911fa5469b80f6971b304b6aca60ce44d953b7125f561988422f60b0c3597199b48d14a1c9b04270532332d72992a12ec976543099b8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 40d5c4dec4495106548110296a6120ef
SHA1 9eba123d3f387828543222e5f84e348e3f1db588
SHA256 4f0cab3a03c288303314f52bc9ba09cb832ebcd51df1492158fa95d0bc63a45a
SHA512 db1bbf1f0d3367100616e83afd069ea1b7bf71a02ecfdf18ed77c192f70ff48ebbebb96fe6c2438f3ac68d7d92d92b8acc2e9b4c6b6dcd798260eae148196ead

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 5aaa8826a312d57d2dd2f63bddc819bb
SHA1 dd006273ae417c16973514396b8917b8a00fb77f
SHA256 df0f3116e404dd4a1a541b2f51d5ab6ff0201e8112c53c3b54aed8af2c94ad1c
SHA512 854fdd8dd6455d63f625b033343caebe543a383d4e1b0e46bf7f4988e6d05ee996949ddb4c9da8aa7c57d7c22a49f3706dd94cc0f3cb4635c31c0c8182b028c0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 6cfb6a09127dea88e41c7e1cb132b93b
SHA1 57b0058e9c06687a6dfbc43117eba114d32f32b1
SHA256 67648f942c5b6894f1dfe168c3830300a0b3673b7f747590675cb1b20924a37c
SHA512 31b393d9a33ed7b58db7510020d8706cf65b5b992ae5b59a40eefdb1771e7076431cb8c1f3e35a6ffc209b2b04c3e2bce400a4859a5fdd32d7b1969e000d4b20

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 f8044124006e0c3c2d4c7e33ebd327b5
SHA1 479888d542ff21bb9dcb077df50556528407c941
SHA256 b06d4fd66970e79632da9774ff3073ec83c1784e22085d5377803e48545cf4cc
SHA512 5d5281ee466aea54f0e1804eed401f0e7b1024d9061eb3bb7ae06b1b5b951f8af5fdeb5df9ed91b137eac56663b808b6c23a68e6097c2a409db81c4a1c7b25eb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 e70dea46d5c69f35ca148f4c475a7a96
SHA1 9c7a52a8ae4820df5878bb1877338f09fa0d9197
SHA256 64cd55061cdfe761e5912780e9aab261435dcd11f72a2bef5d3d82afcf6c3487
SHA512 b46061afab5448d9e5ad6efae923ba08be1c42d922aa560bf94c334ec7dcde1efbcc59d7f6b42e58158566359c6586c9b8fcbb780602ffb91375995e3b59ad04

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ce5a368efa9cc1145af61631bef91f59
SHA1 40a6d8288718a89663d27dfea3f4d51ce096845e
SHA256 a0343a28d0745099c44702b9e855d2bdfd66c32490fccf27d90e5c459f118023
SHA512 f4c31f8bfc9baf552125ea11c3e816b4497d12f3a05178d47833632e75e3f4218202982b1322e884384ac69169b0aba7eaa950ea7295e1937ee3ac0ae0fa47cc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 34340b838ef28338022e79d00420891b
SHA1 3de78508d2b70e43d0bd26560e1464b7cffb7a9b
SHA256 e6cac868c3f66c89ca2699c4f96609eb5a03cde9938d1b069b4096b4b9a67af1
SHA512 18d89f139781f72bb17c2f5b9a7d1103c589cccd3afbdc9ea338405a70badf723ad5cd2eb0a13d9db4f3235dc5917d22e8f7954d17da2bd4a17c90bb32f422bf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 779f293e14daf3bc648cbb5c39dc7ef6
SHA1 2075290444281759b3481efbe5b109fda84b3a6f
SHA256 666545b98c1b40b695103133c76ced2a19dd6c89b76f5b46857694072bbe280a
SHA512 71ec7542b8937ccb78376b503d90939ee371ce9c406538212ca46b007312fccc2732b2b25e86cf435f825c743b7ec2401d7466d4fc4cae3ba9333d50994a672a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 55ff2fe0b776e3d966b53e283d9cc95f
SHA1 22bae1302f12aff3abf9b7e2b27e8d07ee4cb2de
SHA256 c0d24ab7c246771cf2adf69be647badd6e89a720a905aa1512a7d1225473c263
SHA512 8b61299f31695207a7b5b3d58df293e08105e5017a596e98e54c1aeaf737402adc443119bbf44184b3d0a1b4a249d00f23cf68bf5cf9186800548dd4d84d5731