Malware Analysis Report

2025-01-03 08:29

Sample ID 240616-3zy9xsydrj
Target 20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe
SHA256 ad2c872b896027a66748583eb9ecdebd606ef902781e2655deb58e0bae817d9e
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ad2c872b896027a66748583eb9ecdebd606ef902781e2655deb58e0bae817d9e

Threat Level: Likely malicious

The file 20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5070) files with added filename extension

Renames multiple (4011) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:57

Reported

2024-06-17 00:00

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe"

Signatures

Renames multiple (4011) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe

"_state.rsm.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_state.rsm.exe

MD5 82327eaa64c30d62e759fa49e40a124f
SHA1 311f2edad1bf80797ee1bb859b9d90287efa84bf
SHA256 fd7ea23225c639b90c3ca88b7feb6e4bb46a31e09f51de2f03ceec68ee671b9c
SHA512 63bf39668e486abccf78d366e27d10e6cd2b22cc00c95cafe4f83ed5da8b0492c7c81381409545af928dd8159afb3f3ac5bbe0ae9dbb43171234d540b42de423

\Windows\SysWOW64\Zombie.exe

MD5 9e1c1243553d048f422ace912520f891
SHA1 0184c089ead7c847cbb1c4ff32609c6a9a166b5e
SHA256 57fb26202c7f1fad90a97aa541c55589a4f68ddb2a7999e243848fe1ac3410bf
SHA512 c8cbe3c9b2998503f8f32a6dba0c34f9f8072f248b5131b4fb3d5d9b1f710524788bfed2fdb700ec067860e7816ec1a9238f9f2634dda16a15b25a53b39d457a

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.tmp

MD5 bfffef289b23006c3e1521badc96df2c
SHA1 7820a2ac22a3d788dc1175bd26f536f655f57f18
SHA256 0bd6bd7345d26a3de1c131681bc76484c18fe0d37ace233dc3cbb9082e66e8bb
SHA512 aceaf23f322d13191e07eca2ac05b61f7f548a1015925c0c6c0d8edcad1286e462d27f966a10e7ac1c8797a8f54e1302b6b587701a59cbf9347c168aaa4b1de1

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe.tmp

MD5 9aefd6f556c8eef11c18861b28fbaa85
SHA1 88949fb3284530fac6d14719fcf074b764cc8dad
SHA256 1fa90f44f26fdbd5179391e46bfbcfbb7132ef2bbba844ebe600ffde18f97b3f
SHA512 ffa1b256ad28c28cafb29fb5caee94cc31426d66fc13c48fffa50a279142c868f9d43c134ba8bfc767a2b4b629452614c932f62e30902d31ed7ce46512eb0bf3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 8df08ce27660348f432a7bfcb65bfeb5
SHA1 610622368219d33429619d9c7b7c59c418b53085
SHA256 e619f0c274680fe37d15f4497187a69b6921fea84848b9b7d52db2ad3bfe4a88
SHA512 b6ebf5170b11cfa4d3dac410549ce1972ad35b933e446555fbb00043fd269789914c28889a9f72a9c8389fcf0c043c72e3f3baeb6e0c1c4303a4410fcfd9ec41

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 b067a3c4307554a8f59987a227df4f9d
SHA1 79700c9067c25983454b31fd8a5ce4e1be64951b
SHA256 7699a1926e8e967a8be286e8e7ebdf2f465fc634b53579b85eb0343f7206ff29
SHA512 2fc0c379c6206a340c0b1ed73a7ad9641fca87a698725d6898aa84368f63517dff6411f0173e9c29e9e3f77412b27490d152260fe649bac4fcbc59179ffbb4d3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 a1ea96ad961d29f70fd0bd1afec10c4a
SHA1 a4b383de39335b7b58a6c3b62abcaec827ff1937
SHA256 207e07ff71ae4e20d35a6506eacddf206b929f7cb544472ab708c94360217ba7
SHA512 9bce98a0ad3229d37dfced2dcde765c8395bd1cbce7b12917597c6059924e4e1b88ad2f56862c8677269550d84fbdca4a13d73c9a9f5db2d0bbbede822a4a491

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 5295a2368297836b6380c9afd1357955
SHA1 d42705dda5b6e1ee5a2a1bfe3341d0145b9b5a46
SHA256 199484c9d423eb33f339c5281a970e9586df173137b1a027e60b129914df4bc4
SHA512 0856a642b5e554344fee9f571f1d3791f203e971b192c9a6150f9781bd0614a39f4b37e8dfa8ed05cc2e45dbb9eaa7cbe6dfafefdb7c1f41f05bd64f15a84484

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 71a04ccbca92e5ff89c5e57c6e45c72f
SHA1 7eef537f33a19df0c69f2b6b68dc3aac0cbd9b80
SHA256 6d0a665c5b643a5d50f63f22098f1acb0daf3cfebf934345043fa0f3072996c5
SHA512 9545b5db58c4dec8e372054b293d3810258906759104b5ff2eae9a6babdb3dcb17d239293db82ff38a096ce16e77686736041d16a18145c2536682fd62fcd19e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 2905059d7501e83d0a86feb7ffefeb2c
SHA1 ae70bceff9510df439443d64ea14a0eb52ad477e
SHA256 29c6d263ae3cbe0653663c553db0663963c87f679c83a2fdf7c51b2b8b9b5f3f
SHA512 c0a366322eea1ab4d2d16806089b3869543eeb67083d3f73160edc5b4ff2c72b243927782d77ecd8d7ae9f9f10a294d42f77cc529aa799a3e1bdee44c768d348

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 c0603a26f980dbce216e3ded81d963cc
SHA1 e8c52230095e0c634c76551dfc866efe64ffff20
SHA256 49a7cc0dc604c942815b8df179fe1d6b61e841c2e3d1aa8f1158928c30cba028
SHA512 d2628335c519e84b8e4b6d1d2b9276bf28a88b025ba1bb9bc941e97979478629d64b1dddfc974d32185687b594343823814b7c07322aa3c088563964bb2631c1

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 8c85e753a0c1799dca1540d827b3d905
SHA1 9a5e35aa1cd537dbb8404580d14d227c8ffb6563
SHA256 5aca054df48673287468ac1b9c6f5848e9a29dcc7010d95de0d7a8044b6e8912
SHA512 8d61e8482315070b40bc4b2b3fb17d837ede6cbb4af679c2328de1d0de17d08f6cf5b1febbffe0710963c0c920c2c71bc7f583e24c2ce6b4c5e81fde2074fef3

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 b9e2249e8542462240c1c5eeb852d424
SHA1 5b0a99f372224d411b7b7f395b375a58334a0790
SHA256 95999ca1f11da7f7f2267553e54c14c85858bc5da10e09b0587fd8ee165788da
SHA512 6fe1a25c75572ead4c6117fb61eef7917ffb0ec8111bf01ba9d0bc2f1300758d38b432e48afc7bcf84315bd18d3e8720443726c534ead32edb954201346cfd3b

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 3d79fc4cce788e93f0eda8724e2b30e2
SHA1 1cbc611efcadffb1b9228c942fc3a275abe222d2
SHA256 8c3645b018716a62c4b070edfdc0e052c368e6756266b4d74e208d0281d6f6b2
SHA512 89f3eb266f8175e2de4f06ddfc633b676373ab5bccb945532ff035114530495332f59d7d18649a4b9148385479e842d560c04e2f96f51d5be522f86f609e2537

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 9ab62b187005baff0673efec44d9bc13
SHA1 a3961623a79cde72475103206d4a1781f6502454
SHA256 25bb8305c3a348dd55062f452a7de6072e5419c39c30c5bdc5d6043f3a673ac8
SHA512 62e81b454fd40c4b2c922d53a8888903e5955b093b7fd3112b4f2ab14aaff5785c785277fec4513422c8322c906c3c795ab55a849dd0e8209454d0e8866b0064

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 8d1cfe99b144459e237faf4d87967a18
SHA1 0549eca450f9dccca14c78c4985d1d9fe1708106
SHA256 d7ccbd0f5cd8beb25f542d0f6c9e865d5b07d71e6e29bf1d7f202895921bd406
SHA512 befff45d0fe3f968a8dfecbfd0eab31c3330ca8047630e8b151362fe82a5baf5ce4fd15d6827b6c11065dbf568f5a374d67c8addba3ecbfbed4f5ea4bcf168d6

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 cc1bb5e432122f00c81212d0e5829bf9
SHA1 c14fca8fdc5514132a206bd91ca1ea8784de0f9a
SHA256 61ad24ef394ae2319be015b8434d03492b22e0be1bba04aaa4dcdb1c101fb6ce
SHA512 ed5f78a4a1408f69d7012cebf6360ba38b88a0ab6b739f3032faa3a5d93603c8980d21d9123d18477d248946da6a5d16b5bdfb0d6798b95541b69d084dbc3baf

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 42355c31f8473a6f3d1f94ea9233d0ce
SHA1 1b5c0b968f71832325dda46bcbf95de58d6add65
SHA256 d22a399f1b0b470d731fc69512c6ee2e09dd43b84367687202ecd2f0e3f79d20
SHA512 143cf0aa9c10303e82a730494f02ba62759e99f34fdc94ffd2961ba50d9bfa6ec478492b2bd255af0394597e0416e70df7a0ed4b3af71d71df201b5b718b4032

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 8302de08e9a2fffe65663435aa2908d4
SHA1 af9fad6e37fe3bfc18aad3a6d9e53b43c844f56a
SHA256 66538f62730d5f8a471c7e1725539a718912b65a99160d30ff331f545060cab7
SHA512 911ac5cbc0042d99e2eacd4ac9379fb57812725ee9c758ee0b7235c209fa27b0831a9ebf18f1c0cb4828d0431c7d38084d11a23baabf9164b1f7d9f032bb822b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 21c0c489146b5c5ee3baed1516e177d0
SHA1 8b8872ddd1dfc405221b67c9122fe6eef317e136
SHA256 5021bb0bec0d0746318c64878fc979850bf471cf5298fcb731356f939fc8b80b
SHA512 dc5b2333c0b8b3394e7ce9187a90c2e957b62c9be1f6b087a0d574b6653cb1bd1bf53d517f19de1beab0181dd4ffb90d74cba4dda18c862e3954ea38fd79b84a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.exe

MD5 7f95a079ef721fe552dede742ab7693f
SHA1 1d8f77d71202de8e00d100fdccd739227493c3bd
SHA256 4ba6f8be3ec3d7ccabb9a73f86497fd76a3beed348cdb976b114003105dede40
SHA512 b1035df71cc65b4a63f774c256c0065548e0e2d8f8936d4079cd7d75e67a2fe9c3c9d5235ed65e4f3e32166c11de083650dee32cc166f3589304666eca0cdb4b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 c63462461506ef802ef900375e5ecdfb
SHA1 4588e26cac42c46921f89493731f481d659dc90c
SHA256 4873f36330431043189662b705e924b81915c4f143295cc96cde2abb9f65bd57
SHA512 64c77ea60b143c1f8c1a125e43bf93d98c267b720db95060c38da33039a4777930e7c64bc943735b58ca939058ef9d0c34f8a794652211b442e8d16acd62e677

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 dca697eaec220c225f45af1cad5bd96c
SHA1 d23ed94af1ea651919642deb6bf5e1135603ec84
SHA256 23f0d8a2fec50d453b3d239a0cc5c754d1d2ea0ca19410082ff4d80e8ed62fc4
SHA512 ceeb1eb0effe190d2b7a67135f9e4b60e22b05d376c24489a910ed212841767e88c693b86d038d6d2a5dc29af4b830315f2a197a89614372c57dd6319066330a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 22d08a25500a006f063b96bed951d676
SHA1 ec402ec2fc9c92060fa227e276f0350b3ceb36dd
SHA256 db2f7c848065b82fb723161b397df7ce5134599be66d05e1c4b66602852f4274
SHA512 f719d26973b239684dc152c417789e6c7f8913929f51c30a5b7c35245b7dcc1746379df32bf08ede3a58c8f486d2d0b620195ccc418327a5ca92f121da046a4b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 cb9163370eb0bec4a02d71867aae78a9
SHA1 24fb909f0e58133e66554b10a0b5c4bf24202a0c
SHA256 3449343803e8f8e13ede5a77515fe7bfec92ae899c73de70ca2b07bbc7906b50
SHA512 e2724014a57af55ca428e82b3bb2f9f0306a11d431dd783d4b065b88681140a1af8fef60f576fd741c6540e2d4171e6b904fc9f83a12caa5a21598bab630cc02

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.exe

MD5 4c45e14de5968b82f70009509f0a90e6
SHA1 bba0d6fdbe10550aa725583d24c6b0360b79f3e1
SHA256 733e84a95e1f39e19c4c7e528d87806d4da2323d53653071977d5f8e547b6837
SHA512 b5aad5dee8dfd120270f4ec729344dd5158c6810e40524666d3a456fb4ddae08c29feccbca5e8a0df7711cc3ac40f9500fcde256f9fe9b6df7978977f6ff92b8

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 73f82da5800812f4f88b2ab87b821b1b
SHA1 a6a38b788276ead3993a0bc9bad997d570bc6645
SHA256 60dde775ddbf52a8b38ca9916aa12acb4a8a37da2a91e4720d6e632c24d35b48
SHA512 7113fc7a20fdeadc2db877fb21fd1c4f6910b214fc55d7b237bf6b5215c5b0edcdcf6c5ecc39ab8eb01076a805fd495cde28fb1b882383fb422e2a997bb8951c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 f69d2b90fd5e732b5da79fc4c4eefc2a
SHA1 5dcc16829e3dfadffd564eb2d45710f76c0a7e64
SHA256 1ecf08a76456549f2527edb7662f241678cd40d3d4c6a17aa9fc901c05f4068e
SHA512 63a257c462a42dcd87a16511d798b310ccc6fe626dccc9f82c85b441c11b7681bdf650f664ca5c4da6b13355c751ab79983a5635404efbebd2a11a7d5cd5353e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.exe

MD5 d432f305d7050aa31f7f169cc38accf3
SHA1 a0247e879a78d4687442859f2856a92efe311ead
SHA256 34ec10735a4caa7669fc374cd651672d21077d0a59ad785f1c5daff559507119
SHA512 16fd320e124a098ef94d913c73557b998403ef2ccf9737f5c375f8c1721c2281b541f4730a3f6b343f19a69fea84d543bfd409798ea57a108f604cd1542656b7

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 31f04b983446d87629b9747cee434916
SHA1 87fe954b5adb1b90389fb28935f4e427f0cff0df
SHA256 a691cec7b9f9cbb56979504f95f2cbd6f7ad6c2094204d730d5e094e9d47c17d
SHA512 ec230cce374d70eac7848b3063eccf22d1d4126a50f635d401a8d4294aed37b3abcefcb4dde432f6fab1f9388a1e579facccb4326091f151c7d0856248143e12

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 16c862353b9349d74912eba855e37825
SHA1 5f48510fea0106c66855da99ff12c920cc818d19
SHA256 ad4025a799bfdb2b20fbc9d161e241f2a06b763d87791c673fc2ddb5b3b9fb8b
SHA512 4e5f0a0f22ce74a91f172438db511fd6a15dd79e7cdd1fcca0ddc7935f15fcb637e84e884f4c3dd69d04546c9d040fe0a35ae59d0ffb109bc62dd007517b9641

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 d3b55baa242f3e6f35b43fea04e4d16d
SHA1 c3b7851846a6cae94e62cd8f5e0e1dbe59260d1b
SHA256 ef000b562b73e23e5b10531325e59d4531f65ba70c2611cbc094be761dc7cb91
SHA512 bdca859ffdf4dffe90266d96839f2549e5a7881f8c5cff0671c835ba6fedb6cf8d7232507b7de5cae48534ff82c68d87d9f8075105ef4e85832b128c7116fd6a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 76ede4b2eaa7411a94b1c3541edbdfc4
SHA1 28e6fe506853cc12f3c96e6d325b0cc243c1dc67
SHA256 e4d8a91b14f17461716b9be55f8bde09773b4262e7a3ac31af87e22f25b16336
SHA512 f368ed2afad05734231e665f6c20511b7af1983393bb998b97ca627f0f8e0795b23272206a9f99bd60a5fd252bc5f42223dd3fc7832b157a0c23404719cd1262

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 903db4e1b78bbd32dd33ef777449592b
SHA1 949d715b822f2045c11d56a07a9c877478c55a07
SHA256 17a3cd6af6a2144d055c15f2b1dfe549aa48c950f4f9a03a4461097e3dfa1c1f
SHA512 39f7c175e32ad095d3821768e68b8fcfdb9fdd09c1f2c04192e117f7dfa6ee3c6afbf87942d89a93e78fbb5ed42259ea1dbb5a1dc944ed147ef5d91b2d194512

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.exe

MD5 119058bb4370de609f2c602e3bfe7001
SHA1 94e0f98060a2ad612616063370be263fa495750d
SHA256 af39c2bce971e4fae2474d2ed3e1198529d7be76d01538ca8e41fc67000af386
SHA512 e3f5ea8dafc54b681fd81f4ba72c2eecbd01b4f9d75014880fbedcbe5753ccab7b3777aa5f6f4f44ecba1798d3e20d5602537996931c1c42da4e78c3f357b044

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 b21b20c0c51d579e61205b616ef5f2f9
SHA1 806d2ffb968f0d111dbfe7bcf1e539f898f1dd3f
SHA256 34800ab32728ec4037921e124f00cec0dd6ff760e8826280ee1bdcf2ad608183
SHA512 92255904feee3f7bd6488b9d1d6ed4cdac3abd3e4e0416b56864c417b7c833eaa13fd9c13153a80996b32afeb76e255f8457f8e567b58bb4cba02576bf705df3

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 3d67aee6b13f8343ab720ba73959fb0f
SHA1 ae6bef0570e0ddf80b78e078c8e1e890db44df9f
SHA256 30d390036151b94edbe901c63763800cc5ee8e701f58a3bb91f8411d73cd02ea
SHA512 f90ff3fae306379f3585382defb8335f499797fbfecdf5c03d52a3894be7f840e2fa4fcb2e74b3bfb316430e80b1ac1caaa3861fd6c125237efdaa08629a6004

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 0d15feece69c7ae5de069262e5caf104
SHA1 f91c9b2c11e2b8d37b49c55f9f42ef75c8929001
SHA256 c80bc92be33b58611ab7ce2d02a4df0716e415aaa6090c9f257a931d8b326538
SHA512 1467bc7384dfdf4e51e32a3788919ea8b23be7a30af98666f2ed166dedeb47002aec49c41d220a7042e292a1c832d5e4e4546e145fcdd75675b41e53b3fb479e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 5991686b45ba73cf6125bd705781f680
SHA1 ccb5c2e1a004e57bf07f322ac732d82c795bca30
SHA256 6270264ed02a7e1cc583a512c96402f42bee00d8830d89bf7c1a6f00715dae7c
SHA512 8f91b6454efbf62085360cfad7b149147c0d6ba3109b8f03e6ef63c7de6e69cc9b35c4306e742893e48f8ab7fdbbfe666de6c162a4b3112f1cd16c3561cc8d68

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 e9517a2fdc5f82643527721f4868339b
SHA1 833cdea121097716a965ec9052d2ee3f58a6c637
SHA256 8ecf9e4935a6c235702267a498cb1d4e49f7258985421c3ad8ae4216db3f686c
SHA512 7e76dfee732fba33cc4eef1f6888fdcc35fb985b6db5bf48916f7e9dbcda1556494dd105a93d2e2d64a9b2797b48cfc1b44694155d402ae8de81f4a3b4ae1dc0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 dbe0b451e0ae998e988c95b214461fd6
SHA1 76f0f2b0d8da256aa2997d914e207a26ef88718f
SHA256 98eef369c8f53f5aadf0ec7cf6d33a351c03e179c641daa4fb145d7535d708ef
SHA512 264500417ab29308c2a475eb7a633234641c387c5aa4316bf3385e100307e437bc1e2cc574c429ef3274236685e92248ba4f85f3f5fb5734b191b99b760eb85d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e93bbd54522bb5c9bd42a57efde66f93
SHA1 170095b4fa7a92703993c5f00b2898d557aaccf1
SHA256 88686b8ed38ca887379996575816a7610da77705a58263a44b2b34c5e39eb7e7
SHA512 35c6e5732f75bb808f3c152f11255de9f2e8549b1ccaed0ffa3f6f7ad9abf69bfa1f7831c7c75972ebcc675d9a4f5a008bec72cbfe52abeb52edf2788f386430

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 88af4889688d03ad0dac1582fe9aa24a
SHA1 83273cee84d2ff9fb1a451322e12f6837975203d
SHA256 5c311688619be725807450bdcb520d99526bad21f1969b15b16d57a80511f2bf
SHA512 85ec18b015adfe8a300ececf1a1ca6a1568d09cc2db244e6c61ce8fe8f677745584be60fec587cd697472c707e81a2c31c7d568e77916003b82eac3b0368bdfd

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 ef2d8df2d398afef69a7ecd8f9c1f636
SHA1 793b14b6ca9fb94be110b0739972e9fadbc0a527
SHA256 b1c65ddc093607913d3fee277fe38a62bcbc9a9333794fa0d849a7d60b734467
SHA512 5f5c639b2dfde2f46b8a5a92745729534119679bd6285ef3b364161efb3dd4e3950533d56f34619582ae49eb8b0b6faccc731b915af2579b0fd14a369ff67619

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 96651a7737e3cb1e3b9898712752cca1
SHA1 cdd5a558f681fc0fe81c7f1535c9d2e35e68676f
SHA256 0f9ea8596c2e1edbc60da5be448bc0d7b3d0bc5133dc45a872c03441a4ed6b3f
SHA512 b4e4e2ed79dbbef90b215c98ab73231147799871b343f333aa040dfac0c5c861b434b1fb4e5825e6a22900e17e2b98d61fe3f75a9c3a92f378e75e410053ce41

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 275e999442d602c4b0a14f67086c2744
SHA1 6d8c4c892a7a1782451ac79db5147a12df6afa27
SHA256 b503aa98d490e4c8fb3455872dec7057997bb2794490ea4c7aaec2cd67f67e0f
SHA512 1718b419cb3bf47e8353dde8e72b0ddae6986e8381d5f9e0707370bf5b99e845a3b731e339e96808d9eef840e5b5eb01a05f4c352ad442d9d381cc132d4560bb

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 de96dd443d91835911a5e34321d4076b
SHA1 0a3c2f0e058cfe2943916005395baed95fd2031c
SHA256 6991fecb4d36d08934159f033f40cfb379788e3017c3127130f529946ff9bbe5
SHA512 be3746e9d84b66f902a0b127f9c059463ef1b5cf8fa4659668c698999f70b58cae218c32a823d80195df1d225c8d18dc7422a27324365e37d633575e8bb17b0f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 a9aef4dbd4cfd3342023ca6c16927320
SHA1 46c0f0559a79007d754396ffa6b79701f8a6df93
SHA256 61d04bd72243ac37a0a75578f75d6404d57edfa2a46ca4ec0656dfa89adc3ee8
SHA512 b1164c1f2697cba68fc2a8511059b44a7688bd8a6c2d5038ba93861c17ca3a6afc663b14b3488a3cd6260fe330b8d08a28ed35a42a5739008b6fdfd04b55f589

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 8f34f851600b086be54857db3106586a
SHA1 087e8b55aa7d6d426db2801738a3164a70c11c07
SHA256 2db970a394315768f597d9cfaabf63ab4041eb18e25bdfd13d196acda3e95e6f
SHA512 40c28501c8029aecb13ad4398f9b95995e4f9f5793343b0fcc20473f3231482b56599af3c5aeecedad97a2e60d6347eb287e292773965d58ddc743c669464090

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 98125f9174ac717b0e873ee4f9ef545d
SHA1 04ab4c77efbc5981e4b2f0e09a0f89363137ec5b
SHA256 b9018822bf6f3624b855c23b9a6e0f3052669b2d8295a744ea70e93203a36312
SHA512 ff475b785f3fa81df57c1e32ea73812b56359e6fc4386b04fb48c6f3a7da7bef5b0526b281e268b9322aebf3f7f355387b997dbb651cf248d463193d8071050f

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 15f2e2c4e07c28d30c18a4a3b316f472
SHA1 0797a8a7569eb8358b6a187fc3749bf6a8c0b2bf
SHA256 fbce93b14c266cac4e26361df9d0cecdcca997be06e8b071da3d36e472dc90f9
SHA512 bebca0a41aaa6d386bfb037cf7c1522b272e2de0d689637bb2e9daffaf74121d7186f937c9f0799c2889698e01760679da14629fade5b1b43a8336793bb860b4

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d28c159e69045851f9a88b644d96e06d
SHA1 fc49fc2b157148246af2a5631883148ed55f94de
SHA256 608e19ae680998df832edd3c28ae1499c1bfb10a5780530c1e888865b694e060
SHA512 9f9fdeb5b0688440b93c7e6ad7bcfa030bac40ec6784cc9c31afa89e570cf72a6d5daf2765f52c0dee4b66f1ed74876583b83e8cd7950af7b373bdd06b11f4d2

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 1eec908c1c465090e16986286bfbaa88
SHA1 19a3dd7dd5766429fa6e243655c12d0df7304940
SHA256 3f0f960c9ed392962ebb5aaae7f110b27d6b0b4137fd9b54ee21a53f5e4444c2
SHA512 953179eeaf4664a00e190860ac20281c96c22aebd101da86d916cd4c828612e6be10bffc4ec208cbd9f261ae445f743304868286d0bf9715731ed1f22efdc610

C:\Program Files\7-Zip\7z.dll.tmp

MD5 2a560f0d17c7d9bcbdc905f500c9361c
SHA1 e6b58626db538ea8db686615df0624a6a5c23bc4
SHA256 9bd4b58574382878673247cff9d0581a33bd324c7161bbeaecc2b803be113d56
SHA512 113de45445e8e844b57e021a329f2855dc958db5e2a986698078acd1911ad920175accbfc3963fb45c7451fda92c62eaa411e18c220ece54c7f850d3e40b32e0

C:\Program Files\7-Zip\7z.exe

MD5 c43231d7b2e3f34c0cafbcde959551f5
SHA1 f3145c1c456a8743b8e074f642ab0cd96c51a009
SHA256 1ca8c4163a39201b20c7ae7599a75fc9a985a6167eaefeef123b019b84ebe9a8
SHA512 0fd262daad943702d6d4e768f3a2d238ea77baf6e585be259e7a6df25e6e7d97fb21a50c1a6eb01b735147659b909dd7ca81c4da3e3c34a6a7b006e32f2f706e

C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.tmp

MD5 a6b87aaca863c2d2e78336be731b4615
SHA1 af67df5c15ac81c65e8829298f456b3b23270e38
SHA256 949bd3e548e197f87413e7a8683603c862aa7a36e62aec6ff4d9922c4c59355a
SHA512 6383cd774a108538e9f743b75a21a521c536f509c155d4012d42b70e5668b607c0664219c23d8bcabee8b5d6c8b39219ce1ad2af63ad8725805403d59748a288

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:57

Reported

2024-06-17 00:00

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe"

Signatures

Renames multiple (5070) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.exe.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\20a6277512b534f5aa9c0aac97ac5ac0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe

"_state.rsm.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_state.rsm.exe

MD5 82327eaa64c30d62e759fa49e40a124f
SHA1 311f2edad1bf80797ee1bb859b9d90287efa84bf
SHA256 fd7ea23225c639b90c3ca88b7feb6e4bb46a31e09f51de2f03ceec68ee671b9c
SHA512 63bf39668e486abccf78d366e27d10e6cd2b22cc00c95cafe4f83ed5da8b0492c7c81381409545af928dd8159afb3f3ac5bbe0ae9dbb43171234d540b42de423

C:\Windows\SysWOW64\Zombie.exe

MD5 9e1c1243553d048f422ace912520f891
SHA1 0184c089ead7c847cbb1c4ff32609c6a9a166b5e
SHA256 57fb26202c7f1fad90a97aa541c55589a4f68ddb2a7999e243848fe1ac3410bf
SHA512 c8cbe3c9b2998503f8f32a6dba0c34f9f8072f248b5131b4fb3d5d9b1f710524788bfed2fdb700ec067860e7816ec1a9238f9f2634dda16a15b25a53b39d457a

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.tmp

MD5 03678160314af31547dce816318fdb60
SHA1 ad0e0e0250d841da883bdbb3fff94c17b888933b
SHA256 94b89af51bb524ecb938ba6f64d8f93a461099d16c3e8ed43b38a33c7c464238
SHA512 061176e9dd3886cdb4d26898d6825cbe212bfb8609ecca99fa9b6b5f8c62928d930cc50376608971b20baff481c8017d3dfb8c9e8e9e81ce2c41de1279807e9a

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 86905c33894eebb0ac8473df5f8e9cbe
SHA1 5cb9a17059c962957da4419d0661c787066bfc0c
SHA256 858c1006389da45cd4030bf7e8432400259f73b5bda31d7a1b0b822dae50dee0
SHA512 f1f78fc99b54ab2e176ae65f37249d07edd95581db6b416f3c616c73560f4ea1ca818427c74ee20d9ebd9004ef8d8a421f42f54479fe256dd0b9a0aa80d833f9

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8ec2d502a9f1407f130c42416ec2f3d7
SHA1 cc7ae3a9ead621297f41c9f4237497a342dccbfc
SHA256 998f591ad4bb9bbcdf6039b9212460509d560b2c2e7fd69b0ac0c072cc19fdbe
SHA512 51f514d3c8f8845769ca8303c2f3bf43239471a5a409839b4c50d4acf8b7e97c0684463e2c339202d444cc7f48c5f8cfa507cfe767361826e660a4b88973b0ba

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 747818c173750206461f199cc3b9e9b7
SHA1 02b56a8301a5ff09fdb2ac1b5e83b0cfd94c34e4
SHA256 2123eb5015b8ed34dbbe7ef1fc6c335649670933e0ca6e5acb7f12fceb6fcfb9
SHA512 77e991820b47a07e467a1c5915a506d528a1c8d5c3742a4b8e4094b6eb9f1517f8badd7310c20635e3ef4c8a22d870a6b8c22d9255ba719129ffc14f3ac55ffd

C:\Program Files\7-Zip\7z.dll.tmp

MD5 7c4f46379bc42ed72dc7800836811005
SHA1 f1f5b22d29a95163e463dc29f0aa468fda0c2165
SHA256 ae7308e54c6c361fb07f126a30cf3b31778dfedde289ed2d539b970f6cd2d61a
SHA512 9cedde34bfe851a5d4d61ba14c3d381edfcc74563a590103991cab119c633a71dffcb5e6febf11b41900e7ddb0ffd5871cddb230235ffda149785ec6bbe8e158

C:\Program Files\7-Zip\7z.exe.tmp

MD5 579cb114b9a1834fb8da174d1d424d45
SHA1 956889c54476ee1e41554102123dc187077a8983
SHA256 6715e9313880fc73d2681d15b89d50f34ba100a1594ac4460c5993bf29eb254b
SHA512 c04abb53e6bc4888b83ad22b40937131838ab766993b56156ffff8c3e4b828bf10672891534108e5522e61623b730041cf9bbcaa9b6e91b1ce70287e03c3db3d

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 6e812ce6bca23bb73ef79b732852a9c4
SHA1 c6d1648b7036e52325d7dc22f042255cb8758169
SHA256 17fd7214063cca63636d4ade8c3f1d2a41e90afefdbec661ba437ecd92cd5c8d
SHA512 aec5ac5bac9026ab893ed45d23c0f6d70de57383ccee181ee7987725ae82abe7cc83d71f36dfefeb1cdca472a04d37b7f31903be6a3b22e5c657bc97b1ffc8dd

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 610b2a06cc3d21cb7d8e2835bf04de8f
SHA1 3e75c235a9102e9ff43f273dadae52ef20b69c7e
SHA256 ddc1290c2235cdb175a7d88fd124e17a968b19dcf52b82a94e721bc507bf582f
SHA512 70242161a23c5a9b28c3f563d755fa07816df3be7e5aac5c89eab6b545e2704ad81ad20110991a4340e936178e2461d9bef49f7e47a0f05e86916511429fa1d3

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 ea2f6c3f4f196f3dc6f6f3cb018095ad
SHA1 a3739de9c94d482aa5b5782f0b6ad36b92822fb8
SHA256 3a020cc8a2181b4bbf16bab2abfdb2a6d954469e5f3033b9c2ab294d721b4b75
SHA512 ce402627f30772cb55474be1a815c4ea7e8cb1e962f2acfa60423fa59d7eaec4d54863882aa5915f308392b589ad72c5cc88cf479b43f174dd2df1b4ea4c08fb

C:\Program Files\7-Zip\descript.ion.tmp

MD5 68f1fb7405cfbd595aff4087a7ee360b
SHA1 bb05b96941c80f4dde3de8114395aaaa8686f99e
SHA256 96734ee2e3dfdd9cd1f77706562e53e11001b55157cc4f646f571e314c88f439
SHA512 2abdd411f63864594b787cdfe409bbe02d47ae96762499f82e4a084249849ff042d3ef02cdf645ba4bd9ab13ed4580de5935c65a3528fec5c992eb19764774d8

C:\Program Files\7-Zip\History.txt.tmp

MD5 cfc6cfe07d8800ce218017bc1261071f
SHA1 493cf2f47cbf893919e84b3bfda2b14c728de611
SHA256 0ccc84f08c84fa2312f1d241bf6b0e51e34cf1ce02464c1fec6d9aa10672f228
SHA512 b41b96e8f9926dfe55ab4c15d267264eacf391d7b2a76bf2aeb374ee834b77976ff41a0adc301a27a75b7b5b8ccbc8814cad91d3418c8bf5322eb1d00a59ae78

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 9d559b6430964aa4375b99e94c704a93
SHA1 1c6529a26cc58fc64d8be345206479139e988288
SHA256 773d1355367f0e3a9cfdf7416a194ab116469998009bea4d675699ce151a0957
SHA512 a69ca5974557ce0820c64d71a88a5056474e58e38438b5f7f82b6dd7f7efac8ac38878fe16448bde5076d988c2fd99506747d236194aafac0f1bd6eef8d877c1

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 9ef31ba23ccd427afaa39de864dbaf96
SHA1 46c5f105187d17fdcfdd1d7f81e2a410a606cb75
SHA256 593337bc937b0fe8364a6af18d092b809f4aa6559dcb35238dfb98de8be20414
SHA512 edcafffb81bdb204c25126d6f18dc484dcddbbc332218bf2dafc3bcd7e7d52c02258cce7e49373600d197f4c7eabf9608ccee60281a7c00bd5fbf4e00793038c

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 eb21872255785160d30c1272cf7163d8
SHA1 e5db1e5b2af9b775973683de56c89c1afed21899
SHA256 482c2bd95ce4af52dc84a9dedda527dd54fb5650a83272192ab08b5f24bbb96d
SHA512 c55aded55ce703574a27ea38830b1d96dec1adc8e8cd2c542b2f52de2b3f936175b1ec561e3d9665ad8cb24bc320cf66387a8ba0aa2eeb6c174221cb9c1f7ce1

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 6563a2d5ff02d22e9ecaf104e8facf77
SHA1 d83f986a3f7f74e13063d44ac4b0e8e2ba2a959d
SHA256 e881fa1609a58fadd2501a622a5323f1c353709e802ea26fed15ab6e9ceb61f3
SHA512 06d3265e0114c7530c1569945b29c0d709e51b74a3ab5092facf22c31853ddc6f5627e3fba62c95d75e62ff62487af177622ab97733ee0fec5b40fb470dcc195

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 ec7afa861cc5bf3fda59eeceed16dc73
SHA1 f557b722a01052fc9292c81d1da3b2007853171e
SHA256 8a220b583b01b438a203c319e1caf16297bf4ff403a167c05855a6a53a8807d6
SHA512 fe980babe25650cadabe064e008d720725e9346fb2b918fac48fe8078e16baab738e9a272620bc79ac32046dd8a112837a7baea30946684a1f0969b81fef4f4d

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 e1fb1cbd5cb6fe03a1fda41260496eb7
SHA1 bb96d8b1ab9cc9c10d17d0d6f7c45c605bc44879
SHA256 e82f0fc254dc5913fb699286e06e24fb79dce49cab2f817d8a3abac26e0e2052
SHA512 811de3070eda0480914338e5b8fdda579c4f8eece515eb51b7b05326f2d573c405fb80c6f38ac0cabfb57a2afa693da342b7ea9ec2aa83de90c09c24f7a0ae26

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 b37918005f54aaeb42932719da3f7451
SHA1 cdced65648fb7c83517e37d606a738a882fb3613
SHA256 f6ff871339c33c60251a3577d9aa555cfec43a8ae7d2bc24de8959770a7b098d
SHA512 8b4bff49e328e1308d71d8d71d57df4af9e40d1f3f71a3375c3701f264032398f0569273465c7e96d87c6bbb0e38f2513b782a01eda5ef2f5e451b91d18f5c5e

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 2ce5870c82a57dddacbea4a5f775f3c4
SHA1 522dda2f34487f754f89cd233d8155fca8368ed0
SHA256 23ffac78a5875dcd4abf3b54b8aa9414ebf920b71e902a93c3259f8ff8f81642
SHA512 765a9677e29765d9ae8ca57dacaae5d092bb6c955ba1815147af48173731093700d0f0712dc4f38631aa88644e9e56344bd72740feb067761a498449309e6c96

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 a87d4be5b11679ba2e87d3781d9fd002
SHA1 1436a24954821ae87c01eef7be914f1f82440eda
SHA256 d6b5c4ba027a023aa9c7085a061037b1aceb37a492cf55b9ba068d3e8760fea8
SHA512 8d44b7aab427961a10058d9fdf714fc7364d24ed7ab242bd918e71ed15205884ff97b39962ffb64c5bf178b6976beb1a2397f768a39e32e0af420efe416773b1

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 7c603969c6e29b20e56c4571c9c82a71
SHA1 2855d8488df7af919059425305519b0385eaafba
SHA256 da585a66c2f43ea6a020a63a9eb52d3cdbf0ed97d16f49d22697c8168cb0d8b5
SHA512 bfe25ac9ff2e7df86b886083596b5474ef3aad1be09fbf970a7660a84c20be7eea1d126201047cd2e17f54bae0f6df21b844fcba7805ba87ab3119cca8112371

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 0a9dc7c11b66a9253fe37c14a8174277
SHA1 80026cf8b04d1ff9138a07adec8c784f68c987c8
SHA256 0ac4160bdb1e29b86ac5ab384b7b36a49f97e8690dc15e8894946a905ce068a3
SHA512 81b4b2dc892e5dd52a8cc3c352f67ccc6f85e493f0864f189cdced3fc2d6824c0b405e8403c8ec32386aac0c4aa76383c496c40f7a0b0a444c630c47a69a4476

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 dd54f5e2908c372bc014a3ee49b3cfcc
SHA1 89a58dcc3ce723f7c8e811c19d6a30f0157b5c1d
SHA256 c68f2d3ae2fab58682a82eb373923a7bdca7eb52d45ddeed1a26eeecfca8d029
SHA512 e383ad8a1fd582946a3b2f3ca8702720dff64c19d5e2f62c75f22d112d73b3a41b6e658a6a905af7a9b69e7392f7df7a9097a00360bba48fbb1637d687912522

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 ed9af4805c5e15695facf45e0da8ac3f
SHA1 cb749d8711aef943364e3aaaa83d6dd8b1e5eb54
SHA256 5faeda43b533de400ad82ddd4bac8b965f2c6b341f687bd3ac2c988781f61335
SHA512 20862292ef64b521032c6f81cf33d6aedca7d65d4f612d91cdbe0bbd684fe3c7a7670943bf99959042983135a989d3782560cfc557675c83c66788822e90906f

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 d7b28c877b5c4431908938ecf0097901
SHA1 02f8986d0ded64f3d161c41c79e618f63704d36d
SHA256 040f2c9c90351b3a64e9021d5c3687cc85b57e46a67a23d41e07380f6d30a2b4
SHA512 86c52330cf5d259611c91cb8b997a941b51913530119fd7fa9a1993bc9c67e9dab1fafea7ebf7b112ebce2e461754e6c9c4844d780ac20c1902422ada2576a83

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 94b3c2f2cd65214e6f065e80912a6a28
SHA1 f45e99b992cb3f57d2f007210f643fc50c0719dc
SHA256 92fbc2c6064a9559cf60ea3227e2aa2fb6da82704f1c050b10ca50fe7f32f642
SHA512 2babe744497b9d67bd833542f0f430f63984889d48547e8cbd2d5499ff5c9547b518d4864cc153e66491fc19e59d55fa1de8d9f757262eb63856f4440fde09bd

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 3e9b41d4d3258896a59bcd976657043d
SHA1 952714419ae92f2771f5c52299a8ccb3a474de50
SHA256 241c0ac6e839e5c78d993038e9a7cde5f3b1c7b0c75f7c4af50108466d4f40de
SHA512 1b399c588618d14eaba5cab14fe13841865cb42a52efdd6d9b99250740a1ee3d819d01dc002308861db5f00a1e7352bbd800d31ffde9f169cd29a64f97b316d4

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 e015293a081b7094315a489b4a5d9069
SHA1 01f8e8d27ddb043823493d6869ddb816c1c10a8d
SHA256 f93dc2cc4d9d2d94df66c8fc580a89b4df800ecf8b3043fb7c5d562e8b88ec96
SHA512 0410f93e625b70e980e08ebfd54048aa04e99c931b8c458100d042889b2a8d42df38788d9bc87be0c70e532b1741ea63104383a4e67c22b2e126f90ff5151c51

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 532794472e79ab1b83583e6885b2fa8f
SHA1 17873236ed9addb11a3fffbab44a7c3b187be976
SHA256 5e361d6d91545b7885e4cdd772ff9c2cd07083577c2783ad24ff9895bc0a7352
SHA512 00f0a6e6c625492895c7acf2b50d724ec11df9082fe9205e5eb73096e39a985c9182d1cec8abbef7eff0b835945ffbd80e53d3371f168824e36882efcfe5cb63

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 c794f1ca1eebdcf5a88ab3f6964ad47f
SHA1 194f41be2b2c915401b269a8b7e776cf68adcb85
SHA256 edbbc3f7a7d274a035b3cdbfb483ab3e6576eb1b379753ad84e3ab13f89d7027
SHA512 167c49aec314c2749cbe00ff88cf791e3e5525ad6221471942fb2479691e43dc841b1568444ee1b67676a9f3213293cd3e02509232a39cdc807f2394ee9debf1

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 3189348ad35e5be032ab6fa893d169f8
SHA1 6c27a65aca87133c4f087f4fa209ddf81fbab685
SHA256 4d26572fe241b1f133c1a78b00352fd932e3a8b81674f7b59e7ba61967ce1f78
SHA512 6e4bbf98d6350e963ada0497ef8d85ce817a0ee56752a74b357f29a2a1b390f130e9f24820e5da7b9b9a46057b18d204c2a7a8d74d1f43f20049fee91b814196

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6fc29750068f0260b0a2fcf0e5d54f73
SHA1 f80c9047d4978c2732cc70d9888c03c2474e0207
SHA256 909d1e3e96e66393e5ae72d5328991be10455acee23fd9e26324d01b971dfc16
SHA512 97d8425b2d84d011af5278f742d2c132069aad86bb0912add6a7d448879a3e391f8680c8d390cf3690edaef47851cc340b06433c516d3ee9733ef17e013fb339

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 cc8f1ed389bc0560f16f0dea5d2ea2a7
SHA1 e6c675075940f4d860c6830af853d63c1a7ad9ef
SHA256 4179d9adb6380734693fc20ac6b0f715c33f2b0afe36f48fa6bd9fb2ab04d680
SHA512 ed43dc93608e555a642745cedb0e294cc10bb3a9355b55de81f48a8b26e6c1c6bead627163730aa52b8f7e76f34f505d686aef6c4d789b61014e3f91c7b63216

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 d029949e2d07924e8253237e7ad8f82e
SHA1 cec918952acd63fa33b4af9048c1ce1161884803
SHA256 bc0e1b0f1fed6f64649b4f09863554c9801ba7f7b6ab596a5ab1407980589ef5
SHA512 5508e0d232a0310fc55d573b6c0bc2f95ebfdc58b0a6198d4223f95d570e0a4c2581a8dc82cc5c3ba82e46594d5fad29470209ea28170c8406f0e30d597336df

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 c405a231452e8565fccea66c9627e8c4
SHA1 5d593ad365a2265d724c9bc60eacdae3850a7aed
SHA256 edfa28d8afbcf764274cf196e20a173252acbfa399dc29b5c730831d4ebbaf9e
SHA512 c68fff5bde4b6a710e4b2a17ea2a50b32097414f2f53bd3b50f400d9c79f62ce16422d526e778873395eb313d63fb8b206cb2f9ea025f3b789ef78467c01a367

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 7b68cb6313dc9526e3a395d0e84d4d89
SHA1 dcdb43787052d33d45d1a84c4b7dd98e9eafe1b4
SHA256 ab736490ec5ca497e3dac5d1e7ff7256a3b9188d11629fbe0c58b4253a85ff0d
SHA512 9e40cd56cfb2a398be4fda9fbfe8ba1254cb439fb002af64e7315a445a08557cb98a18efc69b52e08f631bed676e9a87803ba0a6c7645f283950aaf6d80caf53

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 03643f7708f4005c3528d41f5b00d76a
SHA1 3093dc0f67ec6e523403a355009594ceca1fba32
SHA256 05b7fc12c36f0696abc59e6c193e84fdac507a9f460524cf8ff1bab40932f283
SHA512 0f2cb37a239fbbb257c01a2825dd123a4edbcfdc32b1920555fd74a8b5f336eeb5c7b1269f1eab9013e8c3192095e56c379d0691beb9e19646c8e781f5a13586

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 753beeaf7b4e4d69a1818118ae989812
SHA1 06e96d333adb4201521625ae7f418a3e5ac57c28
SHA256 f010036375957b397fabe54d4d1d15aabf57257a42308a4f74247c1f51621b58
SHA512 14df8bd1091db1a4389f5ea23aff2dfcaccff9c1f8e1f973b0d4e0f1be81aaef248ce3b6134d3fbc0490a8a13743d7f08fe3472a56e198007c1863d54fca0f78

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 1b2d6d80b84b9480973a8dd37f80c46d
SHA1 fa3eb75e9a55540de60f49dd9e6ad2bf5ec7b151
SHA256 25f44bf5d9e8bab2484b6c71d907e924fcaccddb6ed021db1fe7fe52a1260e01
SHA512 5913558a51b647d04d8233f466432e8e94fc39ad7d79cd8eaf2b7855eb6e355f5732d91b6d843c9709c279b4a1448ae7c7de0b2af3b11e56e018320a7894e552

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 8fd6777794c59ecd798d7bc26d77fb41
SHA1 b5d0a9e399f74eb26e8287c9108dccc44344be13
SHA256 71ccc443c4317707bbb235d023eefea39631ccc00bfedca1312683c0c6fa4f2c
SHA512 4b661a8e8059ada2073d1a7b18856e9f22c856d45e96333f06cb2c5d9252cabff42265a4b421bdebd492d3d948950169a83832cb248f4b317c11c6e934b2db4d

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 b4d11c24741ea46056d8fb6fe5ed59ea
SHA1 033a1a5ab261f3704dc06d987da2481e96aff9e6
SHA256 4acc02692257eb8d72b6a8dc72f23d5559fc3f8695a627d48f8d39368fc58648
SHA512 3f0fb10300dcc4fafb435d9518cb66de24ffae7c4573d308e525cfa2d4e9ac3ab881bf8097982cf537fab4081fc3499a9ae5caca1e8ca63bf9913284e25b1279

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 7409975eda2950cedeca79ba73f8a969
SHA1 5972e4cff1935287febfb49f35784f3fc2ce9823
SHA256 d8d1d127d047c9c8b6fd3de144e693363bb29622ceb4591cb3312845ea0a335d
SHA512 33cfb9a12cdcb2486a52cea517a1f1155d76d54e6b21ee6adae607e4a5918c4d78cc39c612752e36378b05121efc369b23d7a306a34d110f06a0a9af9b5353f4

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 76eb7731955127774d4896b6ecac6280
SHA1 fa6b9c1a9d160ca806e381e9c1d2df7c38753058
SHA256 11cef954d943910dc40c852414ebb1631b409d3420b56dbdf3890e2cebd87586
SHA512 411a09a1d957499ef479285b9722e5f2d55ca3ab76c2652c2ddef552953f7497da6b3cb39f021b751024f26f778135d66d83046eca46c5c43ac3c64b8c9891a8

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 5e07fbb331eb157cef8a9b46679a88a8
SHA1 823481aff5c28b568f53dc883e45eb1501aa7bea
SHA256 4b0bfc1aa313f6d2957d4a7ecca0b24933994541bf6887736824c86ee761b63f
SHA512 a64c78dfc2eada6300fbd6a4f3eba0674ea832f58761f133daefb84f307111d217f7b04222320b5099768281568592f40ec5ef804387aa5f95ce10cbddf175c6

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 a25807ee4c286e5b5b3c1a89452d7f7d
SHA1 0a445283d30d7638767a514475dbf96e9bff1c1d
SHA256 373f7af73cb98ca034fbb7b16b247f2415e962e14e670856f059e79ff6df364c
SHA512 ddfcc3282640bab1743c9f738aa6d42c624d2b661bcbe6e056e75aad4ea7e9fd5fd8b7d0c8f93e32dd32dbdc10262065aa70ff3ce44ebf8d85580e9b2f9364ac

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 49819ef1ad6cb82148893df5778f7910
SHA1 1aad912828e349fe4ceb4a77b463985d659c8565
SHA256 18f4007159fb3e3511c2be183d0b9e1f8634e3570dfb426eed1b27a57ccb7d76
SHA512 95a1c42246ccc4047d82d0bf93be708f4aa72df39d97d45fd7637a3f43bbeee87c92d3ae65212a154f1bb79eb296de4a3241ca635019714d524b9f608becfa06

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 b83dd12250d75bd92eaa9ce38b19517e
SHA1 e9d8ecefdbae117896c38466ec0594614a30d992
SHA256 36614ba29fc3ec7312baa079249ac6aefd7be4910b1cc4f8f08e7addf4103f76
SHA512 399bd265e9c1193ccf6c173a94a70dd3a280481cfb74fccc13f1e594d33da7db9dbbe56cb69cdffdf84aa436ae89b4fa38f3272a0a5e4b9a1370262ee42d8782

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 ce233f7c7f9342170e0b804d7caf9856
SHA1 208fc4ba4b23e745197e9a354e2830fba5792977
SHA256 7fa466ea299dc12d790e875909b699a01a72f557b2f2620c35eff3eafee4d8eb
SHA512 19bfc59aea33475dc74b897ce779f24c7bc6ed63501ae91771e209d8f27dc40c89930261f283e581aa24fb38c448c81f4473ac7d0d2079a7f95367580db32be1

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 3f7aedde6a1603c09ccd56d738f14255
SHA1 883ac263943bbba11bcc5c62e62eb68f49c47e69
SHA256 d62a75355537426e46d92f997cac3498263f26a7d4c83802a9170a042a281179
SHA512 ea8e776c538d211ce3fe0f3e55f3ec88660e63c0085c3cd1870909a3380b2cb68aa2629fb624e3b50f43b7224a9e622cce67b2996fcd418db62b4e25213bf5ef

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 cb9bc1febd670e6ca44e532194c1dced
SHA1 8d70122847087914152eea8d8e882f4f25282c66
SHA256 c1e5ffb9bb7c009404a2f0687f82a710a34d1c76716078bad0b74b37b1f2df9f
SHA512 c332a6f8dd1c44a4856287fa0bc607886bdefbb85b803c32f8c81d230e1298609c5cd5d6858f147971c3bf2abfdf9ef7f8f61a239ac4e331fc534bebf6ea97e4

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 aad76234a253e04e2af1e8cf37103b08
SHA1 4ad2f049cb1a4fab965bfd0c71b2a9bb9cf79c8a
SHA256 b5b084036a0acf14ca931cfca923c42b221f14fa85115ba18a903341f24b00bd
SHA512 f3f5634fd68c7e224e2256e1f00caf4874f75a8bba7ff011e6fa35a6223fa7b1b8d6d500070848bc61dfd340eb1dac4ebca12cad85e5101778d116fbb76f4a2b

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 cad1c6725467294b2e2f048f9d7ce5c9
SHA1 c5f08090bbc15fe7af3e6ff33e0b53e2ac30aa4d
SHA256 9ea7da34593e67037b63cc1b61b998d6f10a6a73bbeeb9470a8e75139ce8b67f
SHA512 35beed85396125c34abde74ea788a217cfe2b188178bc05ac57d08e7e1a9850887cbd9dd239b0c06a6eb2e9396c3fdcae16a2406564ae11b4a3fa5550c8c5791

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 fd591c3caf073e61f3df1e711478264a
SHA1 1a272d7d3cba2bf4f3cf7818fc235bb1ba4f443c
SHA256 b53f186e6d79f109c53ff19ef87bcc6cb65946ca0c5f973866b84828163ede4a
SHA512 6000b224e6349adcf69ff401ea56ed91bceb967d3183fc4b44ceab685661cef4f45f35876b2e653b7496fed2aec5e95e692346f479157080fd66535b0406cad0

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 446cc1387bc3df6c1f5b724fabf74838
SHA1 d4b46d4379bbe73cc17c807fbbdb185b6ec23c75
SHA256 5ae5b1ea1ab885d4b09b6260da614d4c58eeb9865e40b1966a4aef8d5c720ffb
SHA512 d2ab611aecd2d2be22c4f19670b86e113a7efe9e644b3755674de634d2e0ae7b4816f915d0fe70c78e79187c8ebb5b407baf5ad48910a67857c49feeb7fb1720

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 f8730b36308bff40777652b3116f24e7
SHA1 fb5b2098ecb4142e5e218dbf86fedb19d0e57f3e
SHA256 2dd8061a9943e253038114084032205efcdf95daa3f52319a4de58731f7e6258
SHA512 3d07d118006c516891008bbb36260923b9ea994dd033dcce9e3b71eb29be3e47649d3e869d97f931520b5576ee39612c2b82350254174965702a776f742388b7

C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp

MD5 810eda00b4fed884feb5dafaea04f2a4
SHA1 3b938b2e8492fcfd5242db698494b6cb5a6da299
SHA256 402bb1b5c3f535b4e38913fa0d68017cb568357e7f29077ed75b92d297eb19c2
SHA512 e29ba8208aa19c25e61bdc425eebcac34556df09e13a3d22879d6d95051bfaf0655620a5a7f5f2ecf1be4dfb367357c747b4c14310f8f79978fff2ec0d34d13e