Malware Analysis Report

2024-09-23 04:30

Sample ID 240614-edv4datgqb
Target 9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe
SHA256 1bb3aa9c18cf72dbfab17d34f36dc7cd143de5b6f9babb7580e88b7ece186d64
Tags
upx ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1bb3aa9c18cf72dbfab17d34f36dc7cd143de5b6f9babb7580e88b7ece186d64

Threat Level: Likely malicious

The file 9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

upx ransomware

Renames multiple (1186) files with added filename extension

Renames multiple (268) files with added filename extension

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:49

Reported

2024-06-14 03:52

Platform

win7-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe"

Signatures

Renames multiple (268) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DenyShow.png.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe

"_StorageEventsArchive.dat.exe"

Network

N/A

Files

memory/2052-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 47cd53a8f02415b3a70942da44656522
SHA1 c90c29f0f6182650e0f11feed86565dad5165d61
SHA256 1d31a23008eadc26626f1e55b5573a8a7fa2e0444b3c203c4b99a7ec2e6dcc9d
SHA512 1efc68807918dc5d901355e3bdc465d4213b7361b4723d941e842dc00bd0bb4467dd4428bf7e7dc1da2737db3e6c4db633f6c997bbf241b6f04958b37f73c21f

memory/2052-4-0x0000000000380000-0x000000000038B000-memory.dmp

\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe

MD5 16b5ee26247bd433ac9cad84dfe9e0a0
SHA1 c7e1b0f51230079ecf7e28f1eb771afbe6c4f002
SHA256 6fcc7f420b57c19a5f1c67613915037738a3c36484060f9b3567a8f7d6f496fe
SHA512 55fc101cbab8c9cdae8dbc3e9633f8576ddf8724b5ddc42ca3009b429001ac653ed2e83a859a6f0d67f39121d70fd1fed7311d0aa384c7ea71a35e9b9694feec

memory/2864-15-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2052-14-0x00000000003A0000-0x00000000003AB000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 e975a0093a908589195cb0319b79d94d
SHA1 a2c6505ed48324576ff1ecd05cdba7c4709d0c22
SHA256 3cdfa1f1d4acdd73e76d6b013f617b74b609729e0c7882d142c5ba3b21649341
SHA512 54230a39d7c244f5b26f9250646778f35a452a82da290162f59f6041a2cf265c086e024af86c5a2d949f0be891eee86396a58ccce04f7e4ca94a1f1d7cf773db

memory/2500-29-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2052-28-0x0000000000380000-0x000000000038B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe.tmp

MD5 df7705ea0a3713e5cb8d1fc88e99f87e
SHA1 c4b5908d156a14f9937963d6f3f34b015601ad83
SHA256 e25ec0ddf03ddf37056b91724ea048def0b6e2a61ac526007ebbd901f210462f
SHA512 b35f91046c10507519c5fd5bd2a5048cbd2fa5a131328f3c2ec6bdc1a84525d78f8c4d1e92f36367a4c3437ab434ca5e629bfb42e42e90780af951c2bf05bd57

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 2287d8913485d036b1867a31d6f74ce8
SHA1 95c481157ba0902cc647c207c7bc32c998916167
SHA256 d42b5e6f4a8d09040e2fca90ce2ba9fdda4a87dc3f167cbc358e9add85ac6d09
SHA512 d15a29f2a5c03eb8999e4678eb6a92691193cb5466372ea1e378d8f5e065832d2f65adf619a2a7f71b10c20c9e6196019c6d362f991fe4f2124c6c39e8dd0524

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 2d81cc30861ed55f6ac3328b7f9167cb
SHA1 e87659d9a3f0bf07680f14117952c2305af7b93a
SHA256 ff72ead657e26e1561972af445742fabc498e5352496d15ca9dcd803ec8c40c6
SHA512 260d6c844a77a5db4183c6f0cf9bb1577c662da8097c40ab7832ca4b3d637f92218d858b25088667b11fee4095bc3987dc4b8a44fc10a49358ae72065aaa40a8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 c657e87697cbfb7ed80c81385869baca
SHA1 d397477c854e64ebe8c3ecbf00586b3d0c3937c6
SHA256 3be9c8da4fa885ffc81fab23bfa6fd052761e9bcba6b14c8533f245435b24348
SHA512 0bc154e1726d96674c9e9b13faa2ae5d96781e2d1ec638c183482f0df917f6d7346a2bb46d6f3af82e530631e4689162aac3e78d421a97d71cece08df3ea4292

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 b5635caeb218cae46f3491d34cfc313c
SHA1 f037adfc3ef600eb44a8903e510d4c49f2dfb231
SHA256 20fb894cf5ec00f56c456ce7860a77162aab3c431eb910c379e95123aa4d9b5b
SHA512 7e4473ec766b2e99a907a3872b491d0188395d02bc38a077234526019f3169599205439851dcbfad5736387ae942b83d63f35e890aa287eb6770bf00b45f72a7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 0e119da63bf331438daeb2132a750194
SHA1 08de041a60cec9f116a07ddf0df419a8968ddd23
SHA256 1e059152e97bc2c8b0d1cc031f018bb2163abd288683951f0da660e9f22319cb
SHA512 72ff3d2477e03c5985351225ed278669209b5b8a46c1671004af3c9bf4806cd1ac9d1e8de9f218ddf7b00f7acea8bb12563ed8fd789074f3110ebf51bb369f02

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 ae7df09964c00ac4942c296db422f746
SHA1 668887b5363313e108f621933ebe48600ddda051
SHA256 cc80aba8664900ba8a33bc55e425bded0b9c4cdc298dec81ed4bc1c4b4811b6a
SHA512 5dc0eb64fb6e3a367e77764e369dc3cdda06d6d8712a33d9b54871e03242198f7637dd5cf68868f968d6ee168d32f585d9685573eb5f965deddea295e611c3ca

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 b1f1a017b2cbbd8d61a3fabcad504bf9
SHA1 72f78546f0c9976be4d7c0b2259582b2295317da
SHA256 7427756214f1a3dc0a3fd14ff3a3529091ce343f342f80bb05ca9a98c9e464ef
SHA512 99988c5985bf92ab2ee1b1d221ad837bef29cb545f015a7dbaec61554236b42d5a896f73d05877a61e3d70cdfd5ecb7bab7b7714b36943bd570a72f46127d5ac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 513646f4da0b6cc327640b0bcceb68cd
SHA1 4ae79dfbf67b528e3df9aec7407e4d717d44b160
SHA256 d4414cda6a65194fd79b5a80e31ec3be31949417cc8f1daa7e221490fddbe304
SHA512 89e282943651e18e008f3233b39817bf9de8d612f94cbbe5ef00ee1a828447cb4d9d928abbbc5968078e48e4d51e527b611bcee60b280833d3acf88a9cf617c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 c6a3cae36434dfb98bb820c56de1c4ac
SHA1 a6950210f497a3691bc46923e493cae8f74ecb34
SHA256 9d90131c37c1cf438516af319aa06ec98dc3865710b9ccf87dd726d2ac3baafc
SHA512 9b290b320b564f2b69879f1840acba784a90db58ee8d3b2e647d04d9bb05fa3a9541f5599502fe5d69ad970aeb42686a5f4319b487067bb8496c422d4a9ee158

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 a975ee2eaa6b3a9862bfe08a7603b3ac
SHA1 89136002c6d6821ab821678bcc3735ebe9d93504
SHA256 0de095404c26a43abad24f076034ff6b265f02bc151c5a294dbddb129024aeca
SHA512 c0730691409e014f860d172044cc6c23ee1ae227444657119b88f9c142ba19804c1594b25c3e0cabc8c2dab8a55ff3c7345210ac2dc7831fdc7997874081d864

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 131427b7dd91e37aa3e20358e333e393
SHA1 d70be040018cf36bf1b6a20d18b91bb91fa6fe6d
SHA256 6dc01d318bc52124f12d2f2e391cf165a27d0b2e1cb23dcabe42a6746895b74e
SHA512 bea182881ca0ca68e9a8069d0e6c53ddf1a28be37306fc9401f34a98fd334188ff6f56c98b1e0216f401e319915ec095f9598a93c1cf2b1f5a5d2975c72eab5b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 33db2c380af079c4df4d66700dc84e4b
SHA1 4c6e85fcff0750f7b5c26c68253e2ef015f8c2d2
SHA256 53417716b2c20b70fa84e3b3cbaf3dc501b5d1a55a954face6743b8a4d6ce0a9
SHA512 f7e3c6858435e821ad2ab857a1edee9fe435dcf120f9f07596788abfed7265da2bf6e966e6008c4c699b72a17e1097213bb53ab9f1312e591c0c0ad572bc1077

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 01b0859e0d5bffe87b93b19eea28ad6e
SHA1 f757e5d4defe3138dfb89a6befb097476310f960
SHA256 3dcc4b2918af5fe253ae9a21c6bfc475a20a1d1776bdf809ca0a57d7f07fb53b
SHA512 9e968df9f83f89157afbd6bc2971000fd120851a9401c500728e9c848119b640d9a197d5aeb2fc8117703ec0b5fcc2bd316f729db5182c6ac4b26a714f8ece08

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 ffeb352a7754be8a08174c1cfc6364a4
SHA1 d936e4b0d1e9bdea929214951ace9943bb9ac8f0
SHA256 68eb0f6eec552483c25cc4e3bee0662e54af48e1824744996e3cd0c9758c1012
SHA512 216f1bb03fa1ed2a197834d42584a0797b454dfb71a295c3fd133531ad292f3ec26eb8464e92e5ec636bb1ad5fe2b97fb2669981ea5c677eceb3648c26c1f6c3

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 e6aa2384006954fe7e80a8077a6dab3a
SHA1 285ec0f3dd59eb16847f61176b90008ff63fe1ab
SHA256 601ec346c53f75e1d69aac16336fa0ff50d2586933a8987dcc118da2aebf8c99
SHA512 d6490e232cadf1357e45b3ff56b66bd87a5d25dd423564e4a231814ec5ef56103913bddfb52e43e78e1db9ba02080b7dc7daf021f79cb738d4c58078c159a128

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 84ea973061b06705b1333535882dfbcc
SHA1 ceb71ebe2c458909b6d66f308901196ac19b1381
SHA256 0b3f1188b17714732836b435a78df4e286efeab93de7a6b3aadd0533ced59206
SHA512 106943e0d6fee57bc9ba41a62880555d45457e84f369f6f9415e2e44e9312b4fb683375503fc2600570ee6bcaefe9cb1d7e290354faf25f18ab720f62058348d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 1cc7a7c83fe76cfbd661a02d0b79bb4a
SHA1 7b2a1b01874bd8cd152b2216b01b66d98f9cbbcd
SHA256 443ceddcaa9b89677b07f9107607c02b1575ce1701fb326bebd2742f8c4b5cbc
SHA512 94b53f0aefda39a4ed3940ad527aba6cdc32c29d52337939a0facfff31d5f79b8890be1a99dcd50ff019e6180e2c4e74e167bfba88a81a907f1be237bca37514

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 a388400692e5b9ba59c9adaec31f01c9
SHA1 c4a606870348d3713c72375dd6f5cea700b78912
SHA256 904082e15621adc95e052d2c9578c2c27dc747b02329ae90dbd14245ae2e5eff
SHA512 cbaabc979fd3a8f3c5751ec8e621f61a7b21fa9747f97870535fafd604f8ea18ab04f86598501349e21b4d28c1aaf549959d372724f0c57aaca11a5ad269d370

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 ba0e52d6d98c1c46c7ba65fe30540f2f
SHA1 67e9d34addcc8b44d52a2d3e56d87f509373e748
SHA256 63b8f30d142d32c21f3f2eb2322042fc3484bcda2839e075272d50588c409f2c
SHA512 0297a61cd6f2049d2f9fa0e3d1289db8ac58c84e2c96705642d00ede275e47ded7ede8b2422871bee2e03a97382bfd6292574b75e8419f19d99b48180b512a1a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f7184073f8e8d927b4e018493c640ca3
SHA1 9bf4460a4e34d2b61be2d2d8b446b0d79392dd73
SHA256 a3eff848562f8147406ebafe68e3f74ba8576cd5926afcc8c1c0b9eba80c3c61
SHA512 4b1d0dffaba5893b11e98c85d7d7d036cea055e74265f53ef3c4f1d2046ffc06bd3becb0e24e249977979869fbf4b8ca2dc8f5e97d441e548cbad50535bdf22a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 0a1f535e1109afda9a5bae4daf601b8c
SHA1 9e1df7a2953936c856675efc862db8e36f590ed5
SHA256 0947a902a00e3404f8972359c6b3863f7c344ecc30f2aa0c05865237bac746cf
SHA512 fa1e27ff8b6c3246abd7aa49777a2e3efbb8e81e77167c3a3da167a10cfc817886c9fb8eadd36d73d8e65152eb7b2bae9309aea24e702fa1c4844b0d4f263b21

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 b8d6c59a12f8c363290fafa3e6460d45
SHA1 504d8bc98fb41c1ea23e548e16577359c7f3983b
SHA256 e06afb6fe8c5e2b604d4862d5fc3e4a3a638fa908a3be435fe49c24b1f069db0
SHA512 d3d2020e644dec7a1de2c0d359c142da46e484654fc385b657882848be786cd9548ce09ec4ccda1759c657f3868858b77f62786e2eaff8f8b6dd01308b9f735b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 3df4a56668efced7654350914f730d33
SHA1 ca64f43149f9e7c63b57dd86a776ca96a8387e95
SHA256 4df01f7f3f33056a16ab62bd4d4b857b9033807b003243d5a4c6a4c643baf891
SHA512 8c969e53ae13aa57e0b9dd0c70ebd3c615c409ed066ca6657e9da2b3e82fa9652b71c0ca2248e53b357423f91d17325b37be38695eb794f98b5ec08a26825766

memory/2052-152-0x00000000003A0000-0x00000000003AB000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 d6fb170fc2b7aa77bf7e4946d89908c6
SHA1 84e66a260ca7bac755755f76bf1823b2c0169a0b
SHA256 a5e56a2543c3d3d9bf1f65897c6f03aab1df7d4604495e206738bb383807431e
SHA512 cd996cf81f0f74a7dcf95fe09aba310f0f4b56110be8e149e2c44ea42acc29bb51310237cd918b4b4523a6ffbe34026e974525febf16a9492c363c7c820c7f02

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 9063cea2472da67fa64455e4cefb8f4b
SHA1 fd726fd7c354ecffd6d1dd24b9b65aa6e6592e7d
SHA256 29370ee478137cdbce973746bef9243caf38eb76d525bda5288bd92dc8188778
SHA512 a36d1e285e9b13a26011d5f3b0603cb10088197709ff277db6b58c8eb8b4b1bd47401690bf124efeb02d3183784781bf66dd029e7ed4dbea9ee8829ef87de7dc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 cf248a846d3bab1ed518d843490c904a
SHA1 a8308aae1127dab95711791bae30b4e95d824405
SHA256 42ccb786acbf4778d9c50498da625645df0f29e8a0c30d191ae0404c0cf3ae61
SHA512 61e54f6da4fd65414547b3144500b75ed2d59df58c184ac60089116705f2af1965ecf5405f81440354622e26491ef2346bbb6c1c6ae5c084f13d004068564966

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 297298940e38c7eb102615126484b524
SHA1 603e2b17cd7bdf97dd5be5022b380db4c87c1ec4
SHA256 24f8c5be9a4afcdfbdeaeba44095ff69583dff2c5b00cd86a90fc757a38b9a74
SHA512 03264387e465c5a3ed2899be4f580a5fa6e32ecf4917e016ec7f99196e30b9492d938acbf47e30c45c87f5cc36691c895cf82b3bee4a46f85eb43d419d25bdb4

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ee2f03f0cf2b16a0b76975201bd81ce9
SHA1 d424bb2ff5bee67740691ae75139651a0f2c7a8c
SHA256 446bbaf0e4b24047fa23ea8a5b22b9f4263dfe3a98cb7a1013a6c5cca4832196
SHA512 0aee680ce214858a5b402ba5ef121feda1923e577e25b24b5f3b4431bdbfd2da9e23d9981baef30d374a828edfb7f107e1b7a2eacbed328eb83394cd7d5e2337

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 775f0759f611c87f027f053b6416d4c5
SHA1 dc9e8a88fa5ef843ae71a5052e379239af6f7c89
SHA256 b37a98124fafb0797a1c6a32ba7a8d9fee912405821095dd2f66f5d5e75287ca
SHA512 661dbdcbe8ee32209b6b13eee7a1d0ca742bd1dcb4ce66bada17429b966495ed16c14eec3b0969062c8d992982ef36e693da21a950a9a0ba25b515cdbb355727

memory/2052-174-0x0000000000380000-0x000000000038B000-memory.dmp

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 dfb763f4c9b554e49a26a5d9dd3e08c1
SHA1 9b8e2f6aaf092b5a0c1454e4ac0d6a2393d17306
SHA256 bf1e666b6c0ea8cb02957ae857cfc9899bbabb6df4e9d82e1a860a0a93b84889
SHA512 69b0b59ba07141d7fcbdc06afde6671597ba90838deda407f856591ae947c00f4b050231c0544c32814c3d955e030b6fd7a6e22c912a3a8a1af2e0f30e845593

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

MD5 c41bceec4a0a444f414170c7a6e863bf
SHA1 83899a7af55b44148f6ce53a51b1ac455ccea66c
SHA256 ac417f17f764d71b3c7b91d54f96221ccf4c4910dc850151e01c5aa2dd8db5dc
SHA512 bd2818c145ecaf4455745c2e6a31390bf99702ebaa0580989c41af4233a10f0fb34047e26fe1f421326360bde47a62aa9cb1aaece17be7020ac8f6e074526e24

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ffa58c0053722bafbaea612035204040
SHA1 b1ef7d707c118dca4e7ba183c06b0e9ad7e1b398
SHA256 6353c2b9438a30c35de6b22840b57625f78266f1bb4f4d4e442dda13d221dfbd
SHA512 8411f1fab3d30fead4ac08ab253aae663e857cd26d2c9a0d079991343260b7562acda31c0fac84c7dcc7cd2ef3d64a6092381bd50085f09514536279b34116e7

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 abb9022ca338dc5c527c48b112791faa
SHA1 c0f0f75673bdb1649064f5ce4bea84c49dd95437
SHA256 db7578099ccc34519bf0588f002705ab50d3a179ec280b605427090a8c2ae28a
SHA512 e113592a4319e261530459d73b40167f380641b5738bb3d35d6d3334036f4b45e70cba61e2b0a10874326278b34996083460758d18eeb168e18743a2870e3303

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 673d6edee0af01f3fe84a41aa35104b6
SHA1 16999833b1d052ddbc8f95a0bb9e79865291e487
SHA256 80bc89699e749beb5b4fd23798b30e33cf92a70823dcd6c0c2527f93c868a15c
SHA512 b34ed2611a2c7b0bfba57b525a5effe95e8c468a03cb11de1bb69ab2e9a4ed08e132043d8903705d1343306d4bc61753cfcaf90e151ffcf8c41f18a1adad5147

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 9bf9b59cc1e1929dd3aee70de7be96a6
SHA1 4502332946d5921f3cbc72832cc85da3949cd08d
SHA256 ebbe907dc5b71bab1d6de425db3f366211d2d43fa53f255ee6824574ec4fb2db
SHA512 389f8c51024757385bad1e17dd8fd903832e0b2b763460775605f3db0d5a44b280ef53081659698021321944adbc62674dd47bc7f763eb77df2f2b1c91144ea9

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 80b877a46c9e82e0711c54a02edfe8f0
SHA1 1e455fc04f49d235fee10a9e8264c27642130146
SHA256 b4144efd61d9bb3cda904e980eee21b35f8913f1765a02ed4fe37285123324ac
SHA512 d1416a9fd1ae1da3621bb280d44cef0e1bb40861cad2d9f7d2a0d1cc54fb2d2d194233d8592aeb2c41c9f480c12da0073242fde300d68ebeddbd01607d0c68bd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 d111d6fb5d7f1b4beebdc98c305e2b79
SHA1 83fb3107c06e2f44781c7ef2683de2497cacfc87
SHA256 6dc2bbab710ab4d0853a0e1c276734f36b9b83629a6fa892765d5b372239e1f7
SHA512 b46ea4621db9bb0cc47f3f59944a6d0b089ca75194118969710a7f662cb7b0f36b6b1b1e7428567fa286e855fb592f158b3143dbfb0a35268c50c547a6fe7f37

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 5ea5c82662fedc2d73b888c5a95e56ab
SHA1 3c7664f6ca71bc353abd1ccd432dee600ef733cf
SHA256 6d22b5a4d813edb23e40678ca90fb6653ee9fd1a92cbed7aa2a7616ea7d29511
SHA512 3e6b846f7cc9d2567b21198702f8e9ee8fa0363fec27371a6808353de2d25db7ba6bcbc079ee04b42d96836367c9fd91eb2d738df0c0469cd21a8037187519d4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 5fe44d2733d9296f85dd03d06a521d70
SHA1 9a09824c551f10a9bdd23ab22060ad16f54dfa2d
SHA256 8bac642a42658d617dd8fdaca24595a6a43a319dc3a3a4d04928ea7296a6de7a
SHA512 2b82481c80aebaf7388c65049ed487da6dd007a1cdacec7eb1072481bc4b17a54966fadd0add68b62fc59cd63d4f50b2d1e526e2467967c395a3381029ff4974

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 a08a27fae09cd8ec9c11dade15a82207
SHA1 404908f4beaf71edf5c4eb316b0856612a9b243e
SHA256 065a93f55238a6cc68c2d74a49cfeb34114d176556dd33e266b90224fb02a07d
SHA512 bc8ee13d54fe9d846b9ac661a00a2989450b169c1cdf877fbf8370e03b1c25a20bb4ba6bb6f85360e39619ca37e0adc2c9096a064cdf4a6ea90a1470f4304c0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 84893945662073f6555182bc42c45600
SHA1 efd7fdd23899dece7d3bb87b8f3d4f0b4b6782fa
SHA256 298afaa408a677d4a33fd0a1fa80ec70463122f57e3042971f89c101d4c080e4
SHA512 c3a76451673fe5b0792f19cafe66768cb3667f0f1e7daa0fc7c2be1968e772cfad8debd2a3ff23e460c847e29ecf2dc92c8bca94e06df86ee48badd733076937

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 e419636e4ebec000baf138d93b170d00
SHA1 a08520f793b6116ac35167c30151ad31fee3f539
SHA256 8a8e92fec38f9f2f49e0d63325bed642e407c8dc8a72d1a158cd74438d95745d
SHA512 71c17bc7575c8c098c14cc1d4cb3d4d188d2f14b304644ece9c3628a7c18c9728b3226c681976b611fa92319b620177f59a552803870473717e019d3b7c1d5f8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 3cfe604301fab302c6d1511d072be3f6
SHA1 eaff92a182c0b9b7832bf86a52bcde67b431247d
SHA256 f39459b0d931a7d9589277b4b8baf30d51d143ad6718a77a19fec611303f1475
SHA512 50c71968cdc679c5ce9b8ef7e9a81f0bf10f8a68adf1081f6f5e0ecc8dcfdfc58f3bfa38a2207e25d2e8fae88d5249160e503a8ce3e309c1d236c940fa895659

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 aba5175462ee7b2d94f946959bff28d6
SHA1 e82c5377ab706002c4b82169edc02e0f7dd3b73a
SHA256 d0b844529d7f5d1a2c399c07b4315d0b8def085d401a4850183fc5516f11308c
SHA512 b2c055fe4b73f4e605a004ed6a3bc9a4370139d0a8a0f9d2a196cbf3053d77448c007cefa52f529dcd6b3222e121396b93393d722570b8e7fd9a370f9de8d822

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 68b0ea05b5681157082d9ea0a29cd32a
SHA1 26bb918c36e64a79a88327a5e52cab2f8484ec95
SHA256 b151fa5ea07dcf88b0d592498f1e58ae0a27bbe3f2adc02f4db2b025c65bf183
SHA512 7c6ec9836f496b98421de348ab07065271f57aef0f3cd9d9e493cde9a7de351bc9ddfde915b711552ce2fd68fea3fb16b9cc49d68aef434edb72746adcf8749d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 850a7dc7f707c42d29d42a546e0fc661
SHA1 a05f7bf6855f461e133006feb83fdb429408ebd2
SHA256 b253dc3df9916e1358bd96914b22544326cd232f500549df038cc1861837b4b6
SHA512 721685b365f6ec1a6ed9f44d124ad62e52101ed0a9bb3a9b1c7e2aa3b759a4bbb815d7e7d01cbb729cb9c772d53cfe0c65467d6ba29f34bf7f9ba67553365698

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:49

Reported

2024-06-14 03:52

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe"

Signatures

Renames multiple (1186) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Overlapped.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Formatters.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Metadata.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Quic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Specialized.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9fed8cab39c5b453da5b5a2f4f176ea0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe

"_StorageEventsArchive.dat.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2960-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_StorageEventsArchive.dat.exe

MD5 16b5ee26247bd433ac9cad84dfe9e0a0
SHA1 c7e1b0f51230079ecf7e28f1eb771afbe6c4f002
SHA256 6fcc7f420b57c19a5f1c67613915037738a3c36484060f9b3567a8f7d6f496fe
SHA512 55fc101cbab8c9cdae8dbc3e9633f8576ddf8724b5ddc42ca3009b429001ac653ed2e83a859a6f0d67f39121d70fd1fed7311d0aa384c7ea71a35e9b9694feec

memory/1460-11-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 47cd53a8f02415b3a70942da44656522
SHA1 c90c29f0f6182650e0f11feed86565dad5165d61
SHA256 1d31a23008eadc26626f1e55b5573a8a7fa2e0444b3c203c4b99a7ec2e6dcc9d
SHA512 1efc68807918dc5d901355e3bdc465d4213b7361b4723d941e842dc00bd0bb4467dd4428bf7e7dc1da2737db3e6c4db633f6c997bbf241b6f04958b37f73c21f

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

MD5 cff64f85127213302377f3d51131f6b0
SHA1 1396c1f8a728a6c02a9f873a5f5cc05f15c8a314
SHA256 fca3c48392357218d7abbf8a735ab4f3ffe6c99d6fe29d4b87dd6576c759304d
SHA512 c78fb03c91cfb722193154b6d0866c6d3a56e3129fb37a15b78c2bfa9dcde6a9ac03c8c1fe5203e6b3ccef6931278ca651b6cebd8e1a8306330c75d44ddea62d

C:\DumpStack.log.tmp.tmp

MD5 6bf9d3018de513c0522b7c403349b736
SHA1 72bce32d272f1a3ec20c1f5b64a97ca47f57fac7
SHA256 83b0439e5854b79b64ed4ec8fb28f8009ef47a97fc750f4c2c536e5ad838fc17
SHA512 a9529a95445e822468f21f4701fb6533e6f859de634db45ff5635a8a8f663a35913663a99b6c85d023220ca5406a42407c0e00064385ccd02fbe13cc69ab210c

C:\libsmartscreen.dll.tmp

MD5 5c4f564188828e308a7ccbca4841f534
SHA1 63f70849d739ce19662b8af4190138350e4dd900
SHA256 d883ab57bddfacd59291dec2cd382a4ca17d37f6e8e19e4462d04a937245e4ec
SHA512 2c099bcd1687f9841854759c31cc09334e7958e6047afb8fd26a71ed3d52c014384ad8f2417573deb44a696784495b2590fdc40c752356cf0a9a4baeece4712f

C:\odt\config.xml.tmp

MD5 07c89738f2855c14f71cdde144eaf9f3
SHA1 5cc29530d3f1f734fd9b74ed264b7978b4336295
SHA256 c146e1696045b37a08cccd0f82f3de3e023a9b016899c675438f5483280a11c9
SHA512 3ef9056bf807a0d1efa22b92c0624dfff9a5f199624998b7be309d4bfb4a8ecc34ed6aae0fbc63c12e14e9fc35283aec253e8fc8b1baca9fa30073b52edadd18

C:\odt\office2016setup.exe.tmp

MD5 0d9d4caf841bc90dd15bf1299ee147f3
SHA1 8fd8a6031898046300d07416dec8a41fa5c7fe7b
SHA256 0201c09e0b597aa717ca13c91696bdf95d00a6a6c93bb1432f285b51e241917c
SHA512 d2823408096d14f5315141df0092822b61d1d713c2ae33e3bff89f71a321b7f8fe39b33f4d0ba47ffe09e5e8fe691dda2881349551d0f2af5fdfa6dbec26f454

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 7f52126bb5de133174eb5172e34e8d48
SHA1 8467d14db1c59a31a8735ff73ae396cf6a551bcf
SHA256 13f93c29ae95e520ecf1aa32929eca33ef2dbc7451340a03d039e5505401d7d0
SHA512 54a71705d19fa9aedd0b38f75736e3bf62bb1373144721068a289ad98b1b269ca3839b1db80365fcec79c907fa9878e11ce3a5858b525071046fe7afa0d6c20e

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 b50d4e41c54c6319922cc83d16533205
SHA1 b60f4aa2413a20e9f4d54b664b5019f25e0e8142
SHA256 2cb5256c55fbae04a8a7d2a873b2130c94d6329a871c248bdec92a10a2375174
SHA512 e3a29f2ce22873927e220dfd8d869741aeb8ebb7f21f500d139930f27208e4335de8d6298ce8fa1377c0d6e47609f2231010d53ef15c84f052d3eb8cc8df336d

C:\Program Files\7-Zip\7z.dll.tmp

MD5 ce7e0f0718cb8323854d8f085f0e7e61
SHA1 14f93d9718eb48492ad3a46552e5613a9587bf1f
SHA256 646a5c2eedaf1e312b6bd8496461e4f3eb9e253dab2add68cd5a22aeb61ef71e
SHA512 278b3938d8f74ce574db70c28db986213143edd80d8f7e62a057b81558ab8ec317f2293b2a4e583ea4cd342d82ef409f22dcd10ed8e9dad111745728eb28cfee

C:\Program Files\7-Zip\7z.exe.tmp

MD5 60d32d6cec6bbcfd86ff83223c2fb352
SHA1 0246d6b815fec5ab51b5e4107d924ca08ee3c72a
SHA256 bd610d6666df27dd9dfa728772ebbdc1cd1a5c324afe365320822b64a5e940fc
SHA512 d703966bb4d29f3c2501bfa85ed9dd2b5ad3c8f6f23fc295bba8ecfd4a9b0aec7429c2c572284a8196c8263f4c4bbb66200c1ac531ada446e711914d0a7d719d

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 1d18a7d78fd8b7eff9f25481ceb5145f
SHA1 59c851dba21acd678651a9c675c7e3bb1ad61b66
SHA256 0bcfaf33b63ea7c21298b98810e037b3ce9014f632642bbf27d1436c7efaae08
SHA512 70455166480977e7e9719c05e5aa3a64c9d040cb57f9ecd86fd19bb2aab44e1593a6bd6914ea337493f457901915408897fc1d2b1eb0a887b57e8737a959e82c

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 ef03679483a2c01f19ccd2bfbf1f02f1
SHA1 a30f56ea87f8a2536370c6e6b4451107609cabba
SHA256 fd73b5d8a67f109580fd1896b80a1d0e2a7202be82cbdc46beb06fe9f51508c5
SHA512 65d7b4ea96c6e67ffe1515ebdf0f8f7c0161346a30d929deae581198ff875a5decdd7ac7677abae783f23c470bf4aea1646664426891bead9c8ca7780907438d

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 1983882ac9566137d664f15ec4bea1da
SHA1 6ab324d60f34faf24db37cb8fed7e9950304af20
SHA256 55ea31d92e26a5a8fe6e43e381914d4bb0a085b272be6c47ecb9ea0fd8263564
SHA512 90f11270f5d466566c93bae6c2b8af202daa18a6ae85ff74b7ec854aa441b7a988e54aa39d97d44b84698e0d3966bee44dc782ecb81e2b10700684f8d6410d3a

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 35d7bfae0364f5c47f921e0e499718d0
SHA1 c24bd84015c704c2398adab5ab04ee5136a46825
SHA256 9bb41ef26c7e86b1a9a7738af49227fc14df153bf44e151acbf629e368a0b13a
SHA512 8dd763815d84058d5250792d63d422e546c9e426edd95d464c1b2336c0fdbb86a17cd2e7770d458fdf29c62d0f8430ad0c3b59e88cff62fb99bb234aa578b050

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 0e3c7dec325a9d4df1778ecceae86a57
SHA1 fb7a943e7bd6f2db183318d2c0470df4e6f8a82e
SHA256 9b84e782d634c7325892c0b85a8be6188ca45e0182383253aecb371c92a6556a
SHA512 2133efdcdc762d8295d9eba191d4044438f99a694cf217e178cdb7835f733178b8f828dc5271cc98b7ded3ecdcf9b326806d5de4d7433c58be77e551a04680f5

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 f1f38a22e0df75741a30c21b0afd5553
SHA1 35c8a683a15940feaa20f898548271b7f19b6b05
SHA256 455637002e43a5218b35d31c77586716857de54951235f45fadb20a1b0970551
SHA512 6345a68e54511b00168f4a05709b8b09c911f03314afc8c04e26a7cb965d62f9fe0ca5aa43ec279532bb9766f62c31e29fe2145d3bf746111eea06700222a129

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 3bd03cef1e03eb98f1e8e0da1f947256
SHA1 f078501848e3bf7e7f30a5812d2ba119fd080119
SHA256 d94385cfc34ec55405c27ecf8ad37f044857d303946ded919baaa7b303520fd2
SHA512 1795d280e74a1b8df9a7b690c5543da155f6d80dd7c4fddcdc700b22ab3b8c07ca5ded5d6b7726cad99ba484d400f67851e312fefe017d2599e9dcbeed57f43e

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 4204f09706abde664c2518c85e0567b5
SHA1 7f23508853a93d70ba95c6f03e4edc210ade1c72
SHA256 612bb2b9508666f0749cee4c92a16541a9e06cde812c8f4a591d1c05c79082e6
SHA512 bf63646530d5ab1a7d9c6c0c3f4e7a71fba74d2150b7f2c85c9d968d3da8e58e9482a66c383da6fdb2521177dc41e9b1af0cf1686942de47f407f89186c66975

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 24b5c9eae1d9b91505087c200f41aa83
SHA1 4e4c039fc0eb2c3db54f72a93ca2fd6f6f5ad871
SHA256 5557c34dfee1132ff0fd2f3316a7c2c0949f3d21ebe24c3645adedd25bddb6b4
SHA512 5c39ead49cc437ed7d72e7d1c2730b9c42c862e760e5bb6908984851c941e52ea09dc7a28aead584ef3bdbc8dc9d1bdd3c6a224a4f9732498bbea7714a08ef6d

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 ceaf4a81e15d56f99e7040c190ced09b
SHA1 539130e0168ded5935bc2c0955a6ea3a45151ba6
SHA256 989d3914e2708fc2325036a495bcff1b2c1f1d8e156b74754a8d1fd14ee59dd8
SHA512 b1639712cec9dda333c2eeefb77753e57f116871fcc49d11afd173e1302b7716d7a21ee95bb1abd805874bbc018bf82dedab31e74f8b968222073bc8f0693b72

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 87aa17d7d3625af4ab447c9e1c560045
SHA1 28995d76f1cfdd7b33d3301f4039b4ca601dc203
SHA256 994e528f719686e5a680bd687cebc15f519fa7fec920f49eb85a3f42f0cd20bd
SHA512 bb89c46faa7ae8b06510e2519674b47c29de617341ff2c98fd06ba17c6affc0689120ad7aa82d4e9ba32a4e2aa2e3cb015078fa00a1a4de03281460d663a58fe

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 b555f553c14a85c365811d4a847af8b2
SHA1 8170c0c8264eb54888c5f1d72a5b14a15978020b
SHA256 eedcbeed71355ca554ce20fba30af714538e3f2ea18edc605e0f82b768addb72
SHA512 1101c3841ddcbbe75532aaa0ff2134bba9507a226bfbfde0f49a713f21c819c900e37ec9a27aacb69c84fc703af2b977afd6ec7ef17c2d55dadfbb98bb059f3a

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 5df4254e1eeb004afcdba95763e0fc71
SHA1 713c88b795f95337236475b830220827d13fbfef
SHA256 2f71c6c091a4c9c9fa5fe52877b5fe6ad297e19457e840706b3c13e09a42d388
SHA512 c1d82c3accbb8d950e09d1030005e0b95ae875f773325667652eafd086f3064d0ecbd114a98e40ea78543428e0b0a295feab694aa851b5f21330410791d45633

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 49507e01c154b5fcff5c00c4447ec9b5
SHA1 535c46d6aef5411b66b88050e1d4781978cc8cba
SHA256 a498fa1adc97dd7e1c74fc4edba83037fc52fcceaf6512c05e0148555fa86a77
SHA512 a5283b906a5bead3895fdfe2f3f2a4605affc7a3b0008ec96e9323ff8576bb6740148bb88b766f406dfbfa7ef110cc3c298911556352c6676fee6e8c128c6a0b

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 74aac9d66621d3b13668844d56b6b091
SHA1 d99f6423d7fd130f58a14e25b22b3c8675ecd0e8
SHA256 2f28142ac17d4063689c238468ceb12aad53a3ca191d1905dd67d1b66c7fb0e3
SHA512 8617506590a7152e6b7455d795c665c79323bee42e93fb3a305bc90d6c563a103d817a628989054d84262285d411d8345151609e9b828ff001a9bea91b24c140

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 576e5df34c5fc0a7ece0355a082b8f8d
SHA1 cc3e2e2c22783d772bcfa3aa45ad6f7fb0bdc26d
SHA256 57fea4d6ca2b306fa8f006974cd8e8cc504b4bf9a515dce067f966b1fc782faf
SHA512 aa16dc7cdd841e214e3f98f7c2db87da19b294089c0bf0f115410cfcf87b7ef70d776adaed1fef6fda32e286acc8599579f37544d75a89ddcfba8e9f0fd22334

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 989040b444154e846fc6abfbbadeee25
SHA1 6c6af6dab31f7fdd04d231bb6cdf2120faf5c948
SHA256 c5affce1c4f3301c0da7053d0131911db66478322961d4dd6bec290f1de381c6
SHA512 9681a085ee47ad6c30eead24aea0570693ae1274cc89f6f15250f93136ca7805bb4f3b89225ba2743653b9d90646f636f50efe784545f16e447789aa328cc046

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 a258de0a93c31d17e28bbb6f99bc0789
SHA1 ad5a4ec6e3be8938065d9192873b69083911e3c7
SHA256 e04bd1598a1c3e3b179f7b3c7d1957169aa6c29a0edf7c2f8e58e2b038749620
SHA512 d1c5a7e05a26902a1a47c99e4939ee767bb3560d93c49bd1eceb16c6e51299509a34c10eb9bb1e8c734484226189b9ede92d0413ead32b750256f6159d313061

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 2c30e567d3dfd119e786ef0c06af00f3
SHA1 97d08a002f4afa1e4f515f18f859ce6c1ad552ec
SHA256 4c0bc507b24dbd9a53c11dd63ce2fcccacf307077a207ac81f81fddcc56c97f7
SHA512 a76a51aadb693dc3c83d0b62d11040b52641f4376a930cde425f716c62238011aa579455c0d67ea2651e720137606dd869fcf13e0d34bf0f8a248dedcbebaf03

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 87ff264ecfd847fe180ba3a091522bab
SHA1 be286f07998e1a3099ccf6dd6909b67393ccec92
SHA256 25e6b25d7dc50c01c0b245d7139933a24ca91022bd53f3b1b5702801a9d2fdb4
SHA512 836bc08d05903bf32142107e0f5af26907b585dbc2e5d19d6e95453960330257439f284933ed66c3d6bc3eb75f810dbee9b1d0883184cb6a9170e271e6978c2e

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 32bb5c24fc032c42fc2fb6a1e3f43475
SHA1 1bd1924e5ed5c96179480efc8a948209036c3203
SHA256 3f3b3733ece283df47a426e690d71c2e50f846455ad4bd8567e9f4e65fa3d0d3
SHA512 6f1d7a76a6fe649629aaefa1729bf0a831a242e3f716fef9e32e97b0428f18c8fede0622d6615a84de2ea4125bd266c68f81a2292138bbe5393c956c76f33ec5

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 5dc51e3e31b7536d5911739dff09fb9e
SHA1 68583b7111b1cf4a2f1407481faa0039bd6b05a8
SHA256 0d6d7999799dda8fd97d36d23b899b639d2a4ef27b7f4d64c5e3bdc66407af20
SHA512 26e596b41c7cdb313f1130ec4672f8286ba152d687270495d5daf08d58fda4251a4bce7381a5c48317b368908698532af3f2ddfda7b742e3fce82d9d0adc704a

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 5e202a4b2b5858159b16db110051f27b
SHA1 e983956c1491692eaf1b76938be47db0e3ec16bc
SHA256 28e367e0d6df1a7677e116ae92b66911488f978eff14c93f78298b70cdfb6caa
SHA512 3fae4dbe1adffa1b13d154c96158a655a05c8326303f9dc426bb31b954399bedcd7e51d423c71901f0ee74bf423d878fce59412e3035ac7c743533e94f3034d9

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 b553aae9875204e95dcb3cd370383664
SHA1 3cdc28a96386f3e8035ee7302182d0bfffa75eee
SHA256 a8cd3a3b316cbbf1fed7afc91d463a5c5f024b7dc2e9c220fde5484bf40d92d7
SHA512 e65f14518a9b11a39c77fb5558a50314b0978936a109057160da1e67a8d14b65db75bff9762279bf12adec2dd438c72f0b0cf521b1cd2f183c985e1a1a83334e

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 d372b68d6745a27ac63c313795cbd530
SHA1 d492ba7dc6f7d96ebcf32e3e17beea8bb24205d1
SHA256 a01d005056b6f7720e74017edc8fe36365a5a879dc2636e56e7791836515748a
SHA512 69c336b7cac7488bdc5ab9acabd3410d1c8519dd343e560829399aacff8cfb660a8f2b2bbe9ef78ad3e503a16dc5c7b8519008399034b4ec9c274fd50715ac7a

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 26b3ce6bb1736372d59506fa3fbc076c
SHA1 d550e4232696ee0c9bad42d31e167410811a673d
SHA256 a331d08a10972410c77b4d97764e10597ab9af9db5399d192c9d7e0e2554a144
SHA512 086eb619febef0b97669bbb389d9476a31b2832a795524087bc461755cf629a35a1566fe02a7d8372a6ab899f9f901cc4a5607be9c47ebb2e0d109872df80ff3

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 faac53fff92caaeb58699cb81704e068
SHA1 63ab7ddada6aeff7da67e7228ccab5ae2a3f6832
SHA256 47ce0de66a3ecccfe9fc7855f602a97e19f92fdc7b7109dc1494ea401ced4d61
SHA512 e6821b9f1cb9931b1b77984d0bc4cc4255ecb4711389b29c22458e23220782c196b1e09b32e49b789f58b01e1467d94ac21225fc324c774d5c8743b6d0f5e16b

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 4146dbd699ac8aaba468d7c683969896
SHA1 a6bd9539b9b4f240cfad15fa61ee6e6c745f1572
SHA256 b3b1c3e91fc9ddc07e6501434c7e753b80e3a5b5bba878ce4b00af8640f4d1ed
SHA512 0f62f486f00a9b0e62cb3c3d8b15a43b6723d5b52ed9b3e920e360c05b2df551d733ca78d7289db3ef9197b9f73e8385ff8c66a5ec4410841aea1ca39084661a

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 06053fe5c1b437d2cc39257ec259ecd1
SHA1 856829a9a6c9865c88404ea4fbe27555d78d37c2
SHA256 ed748c97bb57187695d58bf1fe129956c19f27e92dd15787dc9640f4711fa041
SHA512 b905c080e6f28598992bfa2042c5604515b0d08aeb269a6f7055164db32e87240e0d1dd8910c6efd8f971029e84bb1e231fefb83525fe8becb605ba9ef77392f

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 880210f3ff71540e69a75a3d21e28419
SHA1 13c0987bd0d00f07db78ca626754f61bebc4ef11
SHA256 3c97965d53679b5654c18f325e61df2cb753d850a1fd0bc1ef5cd8d0bd885465
SHA512 63679cd152dd8a1397ecf472c7e90a8cd74c2f7bda9f273df677ed22b7e44d29fa2467dceda7d588a1bafcf6996fe759eaa8b698f053280022cb3b852d6e30e1

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 521ed22130424e28cb68c16ce0b5c8e6
SHA1 0dfa88c86355b443b5f35d9582db840ecdca7f4b
SHA256 2f56cf35f7c3fd62937acccaa917e0c1a6b12b33bf6afb125f365c06402c42ed
SHA512 ce1cff93624fbd12ee0b7a90f90ce6a3cba696edf40d0376501053c1626dc7621b31178d9fbf997682e1db54d9d6dfcb5ccea8f33d027686517127f659281153

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 b92630445a8826f620d9c1fddbf8a74c
SHA1 f421bf1c9f4cc449a69299d9d2de58017aff7e8a
SHA256 0766a287b65a1f2fc3a35a544a391fe90c54d0b86e24e6604ec47054700453c1
SHA512 f55bed054bc683d9ce1d34be00ed112f4133e1c17aebc135bc9287881ea1f923da41a833e929be9b9d735bb9f99e943896cda9b5f4c28f14c654718b93ded84f

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 848a21d3bbbabfc69e0859ca6e25855f
SHA1 d8d024b89ccaa817fdce1e8f313578476121a5bb
SHA256 2f14178a0794cf018dd242143a05bda24b54fd5c669e9660f1406c2edd55e9d9
SHA512 2f55d390dd256d1954c18615eae13ea57f608a4f3ae23626ee5433600222c4645a74266c6ead255a9e6ca5d26c3f01f85ed836f1f3257217ef51819ddf2a99aa

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 51169dc2d2786e53bf95318da2ba0d14
SHA1 a09bb40c10a634e7c7305b30921f850836e782d1
SHA256 d18d04ae390f81802635010a99a0c37f7184a55f5a782ceab820241dd43e7083
SHA512 c0146f8d630ef4635555bc33e2cfcfe2c1857cb7fbc74e36047a54f707fde2b94901a71a97a6f6753e973345fdffc8ddc4b4d00d8484e65a80f3b09e78d57554

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 908b690876d90370e406e0cddb3d8dad
SHA1 de0a1f81a958d3573b41458e9b7c8f8e3285a68d
SHA256 25b6a9cf7b039782b64f579fa2f130bd5c1f6642126e6fb121398fb2810a02d9
SHA512 b4c98c04b400eff572ee48fb757b62f8ead42c257fc504dbe001fb71c56255dee6f03373e26ca0c66a021b4b29cbb47944b024e4bf79537ef27a38ac7dace2c8

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 77c4a5061f30530d2379e0f0bee8e674
SHA1 b0e338224f2cd05fc67ada4713e58d90f6d2467d
SHA256 d319fe76fbc56140c469443e7e875fde53bac50a02f46c227552c3f154d219db
SHA512 f05f1ae40d916a1f2d8e4b2e1def3980980ee70bb1ee7fe0730539eacd6d36c91e0f18eafa857497a362cab817211daedbcad58de0c4880ca22b3d0b3c8bab61

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 b8a01a0cb4ba2250fb19cb46b2e1bee1
SHA1 5e747afe2dfa729aca94bfe506375b213f0cbd8c
SHA256 89e06f54d242715b93cf6ce2d19f028046468ad4a2c6f93101e1df75249b1488
SHA512 eb775ac20dd6036020e6b61c4cbb8773582d860665e7fb14a45978595ba1c14615364160505e433441106c0b44de6b235c2dc5290da640fdece51b4fffe33f40

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 a5e4d80d3492cf702b794feae3224a01
SHA1 014e613d7de53f5b2f88cb728d396f6dba24407f
SHA256 e1752498f87ff68e8479921a38f86d9ddf1f0e60064f748df22239c8f9838cdf
SHA512 6d8370ae7d81df2420623cfd65b182d41fe8140f35a1c591fcbd47ff52151ba7b1bf452bd3ee45ce8ceaf4a9604a039ec60c9567df24ec0ecbb3e157dd863d84

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 b22632f8b20e9e08ad0810198c21c6ad
SHA1 1a891cc0263cd10941a6a7ea1cd965a0431277da
SHA256 ef6a269312524165d9e4e99404c0a62fab128659116a77101fc735243eae5da9
SHA512 1b8ff03f43c85b148018e1ce21ecd62fd1619cbd2fa2b5c80165e2ee583e911aa90dda0b2895bd2bbfdfa7f6fbbd0b45b9792506de5236d26edca6b11d66cdfe

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 78af8ab88a8c3021ec0ac160f32b5e26
SHA1 b3c9303d8d7bcfab8ba37621b9700a03ce9121a3
SHA256 42e0e6fc098daceb8bcc1cdbc33e902608f8807a9c7ec8526ed437f401d319e6
SHA512 75ce3591773a82f6bb3037ccf80e49419636a8e272fee24a42f24aa73a784cff5741ce4e214871cd76845ed453652bf919f042ff7f1aff0ab589fe4b56944926

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 279fbc65bfceef3af6144becc5e3b894
SHA1 22d74745294b76b630853bcf7b208626316ee9e3
SHA256 60545bc9622dc0b0ed022de0400ef4a7a1e98b4eaaff57d1ba95a2a356c2940b
SHA512 93148597876431871764ffec10d82f06631758dc83762c00318946677ed80cf56da9ddd788db9e7656575153bb903754deacb4e93ee5f940d7b06b2876570fc8

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 75b222193c6e7b540c7fb2f90dbb755e
SHA1 dc9e62ae5b8cd3f200115f48d52c249ee00f0512
SHA256 de9c211e2a8e78f5874864d5092a7dce8539307d9fad4233bd268c9f2368c873
SHA512 76b01dfaac54dfdb8e29610c74dfe46454e0023e600bf0efe793ec7ad2a1a930f5a1d62b0ce40df6456a13a50c3aa7390d2c084e9c3288db82290770d7717fdc

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 f945927f05da32a6952b4a28a31ee680
SHA1 3993da9e4e6d911cbd7f656e1ed6cc1a296a1951
SHA256 0f94e67e8868fe154abf664987cdaf0835f5db7375473d119bc248b75edf326c
SHA512 28e61900508e2970c1001515c8d1135141cacf21f4b1fe04ed80de3acdb43e889c5946d68b2542dbcd7ef750653649353a0dbeee5fd3e64e391570712fd62b1d

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 98d3e7a1c885a474255ac7d86b8990d8
SHA1 e57a85235d2f2ce70221ad660221b0801679b1ee
SHA256 78d02c555d0c526ab5c2a49940d1aadb5da89b551ac61fa4863877f2e152e20a
SHA512 f9b5297aeb14e6d90c9773fb07de9cd244da195d906a582cb732a90cd538a9eeb7872ca151b767c6653c70bcd265ce130474c56730dbbd6a3006fd8073f64d0d

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 a275d6b8cfcb3c0dfcaec59342e2a9bd
SHA1 f37108cd48864b3b1f79cc4c3ea73a16323cd539
SHA256 f353e008b8eb2d93ab7bc0f28eaa13e2f010bc469f298bab014591f1ef4143e9
SHA512 dc49bf13404ada3bea8d1cd5c1dede51181adddbb286ea948ec88f7e72dda56e085b9c6d021b6abad0b798fbb874d3f722663cdb54367c497b231a728bd9edd1

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 ca9691e7ba7cfbbd5c1370d94cda9f26
SHA1 68f904296bfe443dbcf33276bf07f2caef2f6702
SHA256 d80eae1eb9bbdb4a0fae22ef2c87846258a88ef6a8d52e942781e3cbb7945867
SHA512 df82e84ca01426fea626118446116acb2f2334e751371d1b1f5bc312de14e9c1e0af79b971063bb16efc11793105675a90503cf86fe82dd512393350760346d1