Malware Analysis Report

2025-01-03 08:27

Sample ID 240617-d19dvasbnf
Target 3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe
SHA256 1c0656010bb85aa063c018c47704b44ea89c1e2457eaea133ea6bb9ce5c680bd
Tags
upx ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1c0656010bb85aa063c018c47704b44ea89c1e2457eaea133ea6bb9ce5c680bd

Threat Level: Likely malicious

The file 3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

upx ransomware

Renames multiple (508) files with added filename extension

Renames multiple (5439) files with added filename extension

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:29

Reported

2024-06-17 03:32

Platform

win7-20240611-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe"

Signatures

Renames multiple (508) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\ConnectInvoke.m4a.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_263.exe

"_263.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 695221b35f77e532404fa6b630eeadc3
SHA1 8cb58249a5b11691650863239d1b1cf4aa7521bd
SHA256 0616c8a6638e618f89f22609a255442d3d6e9d4ca45a9d1d88600396d21e0666
SHA512 4656c8e9d4b102f3aa052e0fab6eee87e6cf0359b49a8aea16264ddca9ca51a8057aba22eac56f1f324da06b5af65f28019fc8e0b775a7ec5217cb9806964c15

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 722f3d15be52c53c590f0a88acd30c28
SHA1 d705c22f46e56858d5c0bd8138b0562469e25518
SHA256 a9b5865eb50db592641fb2ce9198a68d04783185b1d131060b8678aca8e2b5fc
SHA512 403e6d4aa7780b9272f0b73442e266f8b2ff72f92fb397dc53e04287a995058d7a3784c94e529c6ea3aa4e05d3bf3e0adbdfde818f7b36fc90bdca297f4b6d8a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 b5ddbb4af15b122634455be8787fb2f9
SHA1 c16f58dcfcd7b0ab305573de76acbe46154b4f15
SHA256 a41c8d44bc804643e10ab7c66847d91a5478dee1264770cee648de790f55f978
SHA512 9e1d287b1d95b01c5776be9c0440b912bf646650b09c9adf90eb6aa54605cfe8d6c0c91ee9737dc9d5543087456be035a83faea5f51c8eca09dc266c44f748c5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 ae61d3e7a76cf41d5ca360b659c28f85
SHA1 4b493daab31bddee9e6912ce48f4c58cf2445a82
SHA256 e38e3cba2310bad2292f5374d1eddc4ac87493c29c69faac90e126e3822e674e
SHA512 3ac73434a8ca88a127c489683f286f2bf35408d49ab05c4dd6ec6a7fe16581412a0c9a57b1c02fccf4ce204736171b9e98797cd30fd4cf3250195b87b527078e

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe.tmp

MD5 9a63c473b027ca30053512cceaf3bb74
SHA1 3c168853ee535f4b4280cdb3d8f0afb69dc4d14c
SHA256 f5b667658245406cbdece12fd24c99e08a452658fd6594c53285d4338961adfd
SHA512 66204ec70c132043a90a56f0ff98df5ddc7ab69135c82b0f0c4d9ff81b561a317af4c2fc8396bb536196180b1b9d4b1b5b37a4a2af59b7031e2ea1786e1aa4df

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe

MD5 deeaedcfca1bd7421e59daaf01deaf08
SHA1 0da4daffbb1f5f1a02314366bf6784615d65c5a7
SHA256 7d6437155cd4d0f3c2949943bb0cc82fcfd9d298ae45b31ea86bbf5641629f8e
SHA512 5a96d9436525bfb01cd101a98b88ab5ff3d19db4859d19eaebaad757baa904b9961dc6081d114f374e2584bd45e70701b8cae7c5ccad0b172fec725e16ff6422

memory/2556-26-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 c27412dd23ffd2052815ae5022f776d6
SHA1 917aa691150b06de209f65deb9778ab862d7196f
SHA256 c90488eb478bab7c445c445327ec738d3efaaeca4f9700aa62e8052d1f15a4bb
SHA512 4f3316585c3810de1d18b9c4504d196ef15e02fce2dac693713399902c41583499e5eeaa640a4ad87f0e0252ce1ba2ee9f3d6939cd2ec9925df3980c26776c4c

memory/2372-25-0x0000000000240000-0x000000000024A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_263.exe

MD5 75769768c2a85dcceecdb54aaccc5c37
SHA1 b96da5e007b3251302fa0268c9a3f178d0027702
SHA256 53c05ee9587e7e2d8e9273ad1adc0fd9dc040eac134fb7067e10ec135e1eaf8a
SHA512 b4fe3ddf6c4bb10662d0c90e0246c854a845fa5c10b55e5928e223a4c228659453b81a6f13480db3b9bf1cbb148bbebf6e9dd3193f4978d82bf05645caeb0e2b

memory/2372-13-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2372-6-0x0000000000240000-0x000000000024A000-memory.dmp

memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 70c77854e361d3c5bbf2a0f354d85e23
SHA1 21a2a256a51bc35e233438fbe0af1b0bbeb58fbb
SHA256 742ef7c5d11ef0f963d2b5ded5ea5cfc122a1482034744fe24e980fd3f3ef38c
SHA512 fce46932244c5583091421112dfb4827975a704925acdb784105c2b6547731382cbdee0605543a300b0795ea81a7e9f12c1ce1bd02ee66be57b27700c312a4d1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 6d0bfd571026cb4433604dd3e442d615
SHA1 9b4d9f9855aca38fd70e82be564cf39e3f2d4088
SHA256 4301c7a2c7b35dd8c5997144569d020951e02e6afdf2bf986a340122bee27545
SHA512 804d77ad1529e86e06102bdc6d418f5085d5b7430fc2151046f17d0cc776cf907e97943216104941a7b137461b58080cffa987f03917c22157207db23ac0dfa8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 a133482536457458164b79b312aa5a7d
SHA1 47c1d0c5a5e70e56b2440dca9001c628f84f5a76
SHA256 e354f70707d1318839605eea8b019fb9fe5085c96ae5184f666c5414b8eec444
SHA512 d31e5d2d9580539e80d4cbb342366ba57b1dc6febcbc0a9cc13ce6b005efce0336c7bf64eaff54e777254ee858d0b5ecc69617af87c22928e7c7c27d9a4b2a97

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 57a3dfd5e8a15b805f0f580620af571e
SHA1 081dad0309da16152fa3f1cdb18a48d34e14c4ba
SHA256 0b967fde17f6c9adc780cc13812f8cf3a32e6725e3424d40f235858010c6bcb3
SHA512 feb6ab8b658f28b6e2fbd2152413985d55d3504a5bb5cbc8d7940db6616ed809ea8c964a4f6834e00aa2f28c9f7a6a65c84a2345c9877fa4ea59e6af30386e7e

memory/2372-62-0x0000000000400000-0x000000000040A000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 aba2ec95d06cea7af4b33a0cff6963cb
SHA1 b86d1e53bee0933a274762e5dbb2f37c9be2190a
SHA256 0e00e55a66b22ca4672d017b0090306e06529e4b45eb0d7a6fb90dd2b678e5a8
SHA512 6e2244ce920fc5d2c5ff5ee435ec0500ad00c7ea2cb008cac178336b29da39e23c3615a7c9cfdcb5f1dc302950246464cffb720f7fc7a799d1f363bf5f0d0ee3

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 e3d1e1094b51190f5930bb5e2d98062a
SHA1 77744fd4e7a6ea66fe4fddebfa564b5ab58e60e7
SHA256 0984c3675b89fc55f40db3b433e35889c51535a2c87736a627a19a8d06b90613
SHA512 41cb70bb100b29d96b2f97926ee886dd3eb8d266c561f997e996f934e0beee4dbd3c65a729c28e93ac8793307b1a55638788106c527eaba49c67c62fa87cda84

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 95d8feda22c4a92c2d544555f1aeb50f
SHA1 482a51f2698b62b2878eb5ec230b925c6cfa092e
SHA256 ff66e4e7891b36bbe86cdfd639cd769b5ca732c9cfbec7e8e0dc68a54052812f
SHA512 5faae183ed800a7a21ee3bc30e6e4e5f2638cd217d6581efcb71ab9192a3b83969a6cbf2573d97859f2d5be8e70e7efb6bb88a54bf17d5b26a6552ce20496bd4

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 1b35631c8b337b1c7f81bf07a3b4bffa
SHA1 28d8f2e0884bcee87b053bd69d01de5e254d52c7
SHA256 1ba02e12fd79b34c782e2277418132051ce59b9b9c5aac0a9545813152e8d89f
SHA512 f9a013d3566a4d66160b76ff9efbe71a7f75fa4a206e6e4509b743bbc6ac8743dbba33adffef299e6fec2bc4d3718e1033f2380a3fbf667a20b020f0aefd23ec

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 3d0a5e67e57b9455e85c9639bb137d85
SHA1 d723f2f65495333a210bdc2912d75b95c59473e0
SHA256 3e618b4e4a70bbe73599bebe4f42fa0730e06cc2358e690b990b2f8d8e40eabb
SHA512 1faf889805276315b6c49e53df637a6d48ca1fe6afe42b877135d480d73d611582355e5852b36871fd173187be2913b57313e3b64599c188bffbc0962fcbf508

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 1302a277f1ffeca73eb04f433ef0c4f6
SHA1 84ff977a629a6ec3df4bdd316c57c717fa7e093a
SHA256 cec0173387b409064e6e7685f38340eacaee96c93ace570fc4c420cba68c70ae
SHA512 8dcca4be3713a7f35cc270c35415a4a86f2eace4372f7cb047c6b338d8384ec33540217ba3cfae95d2d415f81e0ccc39c1516374f61b40d96c4ff75426fbe34b

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 21ed9026a5c07698570f2ba23ce4da6a
SHA1 64e62d98680fc292d56094abc74fb7e83feeeee6
SHA256 fa4f412236ccc9579a2bcbc32a775ccc8318692758e7c0cd0af7678be65adc50
SHA512 e042899bb48efdb352a4d25fa6efe15619573364a82f03703e83509f06a4873a785b230bf4d971523bebfa2fc0bdf4f8e43d098f8510e1f348b58f95eedfe08d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 0a4f8aebdd75b492ac2208ffc8d9c060
SHA1 80eea249f8149095fc1a7f5580fb9db73a4a9f24
SHA256 f76dd6b1f4cccf6875ca201fcef97d5afc0004a25fbf701b354c348f4eab98c9
SHA512 010ce5a0dbdaebb1b664fc7046e5c43b6f0513d5db4f88ea8c35953d29cd10b15ecc3694b4f046c35b5fae1b950a0231ac376efeb4db702870c4b83457d1a83b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 bf06e235bae912eb9b343509d02efa41
SHA1 ffe7791acfab35427985c14285c50638cb6d60e5
SHA256 12dc7e6a14c939cb9bada050b1e4683938ccedb5f03f0224d4283c9c2fdf2c98
SHA512 15f2e15e25e34c8cf96b2b26556c588676285b700b98e12bca3abd96b6550ebe94494def99123d47e44155bbe7dd20ab5ecdfc14ceb1ec426b7c4203bab64d4e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 5f19d0f9eade2ee9b6ee968489efc113
SHA1 fc3e3873abc56e47080ac6f18986b2f7024d82e8
SHA256 914b1ea05a4e2d62b0a30db018acffb477f56bd1621c0563df6a138b91086986
SHA512 398e1a70a33abf5a9453088019101ea402103177d4664d0a9d6c2537fe11362e844ad3dd99e947f2a44ae11f5e3386c3bd135ba3dbc0fd4538f6cab729eb187f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 402a083e5c0469bdce7582694e2bf1d1
SHA1 03966bd9496732053b0a188b0d90adc77e5ca15a
SHA256 33aa3eee8dad312b766c21597ab1bd3d78e89f760a919bf01630b032935a4783
SHA512 f97c6bf72b76c34f8a59b50cf39fceb2cf0d3181d09c091b463181e5e32d17ea91872393e90d5f14b7e64e6dd38a9056e7263d7380224ced5bae202b8eee8bfb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 ae8c0359160b48990b28d3a88d34bbe1
SHA1 ba88057915b0aefc6d1aec56504b4c35e5717a0e
SHA256 62eb9346430db80ac440dcb1e9df43b383cf459c169af904bb277845ea156817
SHA512 14238e1c864025cd8f2a73ae2b66b5a9ba358b63fab0df72bcdb43648f0b01d6cbbf23f7726effe6080372a31ae34408d4f214f3319f8e47a4dff8522446044b

memory/2372-150-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2372-149-0x00000000003D0000-0x00000000003DA000-memory.dmp

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 db26d6604c6c2cb65461b7751dd96827
SHA1 faa1ec1da8e83d1410ac890dc97e3d666d3c5662
SHA256 a0c51fbd303850d14372e65efebfec7e6ee3d008cb6a008a5b65b42c372dff67
SHA512 ab329afb02bbc6ebb3038a4c9512bcc7ee0301ad2ba2404e77b26c7cea976eaa4f7c3c7cb04d5615b4ef6a66ff751acf40235d3cc81150a525946c18838bf16d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 672931bd1b98fdd0bb3ff64de3285197
SHA1 38cb155b937f1efe689f1d0892106a29ac103ee2
SHA256 583dfdddf321ad61b3f23202f255f5ac651109f3e52cfe96d94a36e3bb69c749
SHA512 af2d3a04bfeedf02f2de43c60230ae77e0dfa55ca7a4211aba55715b4f3acf4dcc5aeb52ee0bfafff3814a4bf871648b7da47798a5380ed543e50236a662b644

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.exe

MD5 db9983b8c5fb4a492262f2bcbd525c2a
SHA1 c3f12a241adaedd2ae696289ccdc5a7a4915b5ee
SHA256 3343a1570f6cb19311c45db8e73207730e19b464ab40fe16d7a8d99a59086bdf
SHA512 fcf4691e4b8666042a0d4900ad486d7b13a37a5b7b49e64bfb8e00e1470452a34229c8fef56ab90e56b8887af2753339f909d674296e56ef38bca44c720e9959

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 c981ed7c21165510663cac6445d7e093
SHA1 af7be12ab799281fe7fc1c4195633becbf6fdeb3
SHA256 eb4d17b012a1ab098e7ce721c3b8a87daa5294301fdf9f509c6c3471e35feb84
SHA512 7282ce609364ad50d62c00c33bf6d02c62b000b5cc09c483c492c688a7cb695cfde59185200339555c5dd049330bd2e362f9a754c736098c415c053deda42dac

memory/2372-185-0x0000000000240000-0x000000000024A000-memory.dmp

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.exe

MD5 f43737e1169d547d219179c02551dbb6
SHA1 3e067387e7964ded8846fa9a389b88bd934181d8
SHA256 5b2dcabf9415f7c1cd8b838ab784a777990941d25b583e7d0df650e5959fe39c
SHA512 af5ac4c42857a9da37cc31b7e4aa8872dfa38195d98b6c080cbb597b28b7443cf5e03d4dd7444b9bd53f6f2012996f93b5a9cfb1c902855e2bc406f491ec4bec

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 8144b4bec4ab6bf07519c09767425bbd
SHA1 7fa326c701542369e1b027ede0c2c7fa09e4d1ee
SHA256 ca644252d5c595ecfb1b6beddce44e67d2aa4b8927663ece06aac5d448dfe73f
SHA512 3a8b6913a53f6f56d9bd54ecd263f9908295bd8daca44bee9c36f912e4724c1bb63b6bc35a2503387b64477f14752a6aefbedebab0a7231fe20896dada9b213a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 1bfba2f8bb63ff2856ff43f980725eed
SHA1 e302df72fb8ef978f8386840db3e610803994709
SHA256 4eff8b68c6eea0a1a39d793a96005c0e547f4f617b23d124715128c3fe64a607
SHA512 4f03ae6b6de7406a06b69d45ab33beb95bfb7ba8292c2e052f0e3491a453b2a810976f360de52d177de78be3afbe7b890bccd1e267d2b6eb7a0d0d2c0752f5e1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 7178ba74bc2c4229bd9b3ff3c47fa074
SHA1 9d2a0808fddb8a94a24a64c874abd2bd77567e46
SHA256 36e3c36bc5ed63e56089700aa52aab4b9eac9a4825206482104da1a8ba4cdff3
SHA512 1264a51dc8b6ec6887fb114be67518eca81e6538b6f9fdfa5bbede151350feee88309add69ab91628db67b46228bf3ab29e43ada219a3931ceaa49bd4216a607

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 0f98005678d487da6c646f38b70a3b6d
SHA1 76a93d56ed89f8b941fe4435ade8dc525df8fd4d
SHA256 c75770acd071c6e72524cba98948ce1a702802be92a99df5ded6e936f2764078
SHA512 362b70c3d339de22cc8335a3a1e2a18a2571ed5e4b5d556460b34d5d46c9312333d215fa80e0ed79fdf3b7c47902896c0dc059686ae896c9859b44a23690d325

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 bfa5fd1bf345105c04e18976fa4de944
SHA1 d972b1202dce1b771267265a8e300c8effa479fc
SHA256 b55a3acae2c0392d1cbf317c5ffe298d8a5eea06f2880fd1332726de9a052fb6
SHA512 a1f4199cfff5e1eb6652d71a8c17089f6d44cc20a962004f4592263f23448df9fdd03af52f9659c2eb7cfbcef09e1fd4e2ee90b675f8076ef71ab780c82a9f11

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 da77d31a848633d2d018c83e88c8cabf
SHA1 995f15c0ced8ef37466cf902f1f78a1d4497e9db
SHA256 70d58ee2a71c88c5383031c734e3541941aff98a5e51df0012c30388ceb06d17
SHA512 64af1ea487cb76184b59465281f606535676f17cab95028306309e5950b6d289822fe721ad4824e16cbbc819fdcf9505fb05082c88fffb1e3cac79f94f37deee

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 151b44b1e550ca7d471d1e600af9532b
SHA1 a853e73a5336383088643294d32d4ccfc474cd46
SHA256 71fb7258f365e3a20eccc5c7a493b7625bf50fea2c6c4fd179634dcbd89bbaf7
SHA512 f549573a88be33d65e906d177f87754a1d724125473d62d851cabe70333f66b22169509728c7e6cdf3b9b5859891a023f6f0d30634f553e4659bf70fa4195435

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 abc2f39e4835bb3d6c86a9092ac4b333
SHA1 3e1bdc3130112f09c2e7ef696ce063af7cad0bc1
SHA256 6eaa15a28182bffaf22a09eabc28867552186a99a926c5a6bb1437ef4e51a062
SHA512 f77b11bfeab4e3a014d45f24fdb4f123701d2063b6a577b374a21931217ac40e65597f710d896bec3c272b22e1ae1ff40375e9b036667166054592dba0fe84e6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 7277726ddcc847c49eaf42d2e6bdda17
SHA1 054180ef8e718ebda8110eb2b6170128be5315c0
SHA256 b207c210f82f57ed369ea8d032bfc5dffa52ff0e739b208de57d430852d0fb2a
SHA512 bab30c2dd9221b074d409cf324c706ba50e2af216fcf7b17f1e54836d284f35383278210ef1a5ef6ca1253f836af4b0c832ec187fc8ae3ff5103b5bd04a13ffc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 1feb727495449f73ee203160b6c2b8f5
SHA1 62ae820bb3bc007e1e65476ad7083c7602237a76
SHA256 2167835ac3c63482773753fdb82fd79b20af57c8a8b33d7170da77ede2da747e
SHA512 73cb3a3df3b3f81aeef48c116ccbc0b837e0cad2cc6b066371c666b4ec7541e9c776aa5908f7d34e1c72379d93c5c8e3041126a3287adbc87b0eac7f0a474a69

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 e076f2ce75a421051caf82220f71bcec
SHA1 1b4d2ed743199497138b3a046db5f4b74f887400
SHA256 eeb137931588e61ef3d4cbcd2ed1812df42b6d67cfaa3630134dcf39a255620f
SHA512 56e075f505c851bf68426901857bf595998849f7184a0e9ccee69f8da8827fe44ed39d8ed1ebbb4a8c35352d6f02516567b4498ff58e97c4e0b907162e7d2d99

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 35a11b076d3f9c6e1e00e9ebfaf5e535
SHA1 28c5910892d3320930583f06b04c62c39e6a3c3f
SHA256 15693983d8cc05633cd355a7755b2c195ed176f4ac718c132e0495291dbaf882
SHA512 61018cdfe27b8c9b8dc9a94c9f663d7a01860fde2f41c32da20001073fef89d9105cd1aea4d22fb1a6c6d1e9541b7f794d309f7447204bb3440f4dc6a40c479f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 8e63f3c76a52dd9ba1ab63fea1de7148
SHA1 987deab4a193d505592cfc2011460b99315a76cd
SHA256 9b2c972d4372c03dc13744cbc4049cf08c767c4460dd41bb4696dcaf86878539
SHA512 204d4ae97d997bf17a9bdd66d7bd299233b2afdf6e3083686feeadb5b0db42e68e76b45378a194edf147f702fc48b02ef3ce9df9c4350e66a84a0ae023334041

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 a6b8c224501a4f99a1a098a92b6cafad
SHA1 b8b64b8e40e5f043db6f8eb2636e8b3d39df5609
SHA256 fc16998282265370f0f95b3c3fdb51d2c220579302124da7fdf53768001dd06e
SHA512 4942a17c2c254d188e70a9a07d45481e04e4df5e896a684691bbe7d155a9b74328edbc903bd55f3e58474ebebe80616d6c151860b21fc87e9f29f80504556ae5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 463ae5a70e7da0c764c44fdc46ecb4b2
SHA1 8fa41591ebb24c1616c6e00c7d75a99b1dd6dc0b
SHA256 dddaba30e598a82b42c823b39e6639bf4693bbf98f6205677c0c271e90c9b894
SHA512 9e4576fbdff181dbd4905d52500cdb5bf6042c40c61ae33ff8c121fb1308845dea7a4da64aa7c4af09ed7912de6291ccb37e737182976fbaa7b8c4c5a4588f00

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 825966f89f2dd01f8758be1494bffaf8
SHA1 5461b6f26365e888c40e6e510f8d593d60da7172
SHA256 558f88f024a1a47e2313a49d799ea0c513f82a23edbff1ba4f62086ec211fe1e
SHA512 fdeb2510896b8f6d56b9a82939ec0b76617a2439daa4ad2cf31a700ba6c5507b0487fa80dfa374ed6ee5f00218101e7363041b65fbed3895de8cc3039197e749

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 18aef9f0d9658f59afde459b5b3d0a67
SHA1 8a20867ce6f0d80e380c16593328ca4279daf8de
SHA256 1491af08dbe6f1ebd987ea09b82de17e11c925f3143017e1690dc024a5014bd1
SHA512 ef19ac103e3cfddf97b1b263f0d33175181b9e6eb611a2343f1d046bb2a236484f940546b78c4f042f7a542e0809f5d4a335b503528a760e07d96d1afbb164f2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 0dc91b7725db2168bdabecb458620021
SHA1 a77e6b06a9f902c17ff9cdc8fcb966f39b4a77ff
SHA256 88c2f452a8bf2d709c8826e2dad6bf6f568f77abc8dc7ee549b31edffd60177a
SHA512 a8e972da73af733196a8f0831b7c57afbb0a21c914f0b89a4c4c24e19d0f39f0b07657532c9a70555b45d0af49ae3514471afda3dd088682e399affe439d99b1

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 47b3aeea039f7e55619d9cf6101da21d
SHA1 900f3e3477617a5858962a56d777c7c2d37f32ea
SHA256 c2faeb8e12472e37943c9f279359c62310c2ff9fe87b407068c1aae5e2eb0538
SHA512 ba57bdf34aa8d55130ce36b0776b278e7157583d06d3be09c47e616379dd379c7de37f8dc5638c5e33042f6ccf3ec19f5f83c25e4a07405e24175b97452dab5c

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 2129c833dce3a0163b80dbfc8b29a165
SHA1 1905e19c0fc37d7fc9438296209b40104cdd6cf7
SHA256 5a476416828e437243b91bd6a4f9119793377afc7e56ab5c2b8045f038d935d7
SHA512 36da44c891a9a4359bc1b2ffb20211a1b350bb28fdb5a28a8ac5871bedde43f1b2b9b11c2ce3486b9693d2d0b0e628420c998cc83e1ded62a9f416aa7d53d307

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 2c507eb1b4d9c8974d92c68cef17d15a
SHA1 77ae40130d1f040d9181c494d843c7836fcc3cc5
SHA256 474130bbfbb8188ea87669e3cd8f71f9bbe3e5297db41bbd346af8cefc51b8de
SHA512 09b89ca06874afa874bbd3acf3d37b537481ea8623cf873f5b421257b72fbc174cef3bcbf3844d7d022a54d04f70228de4fd66348a1dc2835a0a61471a0ac830

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 0e78cd09036dcc374992acdb75594cb1
SHA1 54d934b82849959963e09449125235f73c98f875
SHA256 c250011a221a73ca1f28eeec75fa9d67a32df83f12328cbd4191ed1bb35458e1
SHA512 a560ab46a65b1e50d27b3e1c10d1a4feb3de45d5e893fa465d43bb30968fc8c2be030260605d4fb7650b6c396d2bf18c73abc7ab853fd453a5b3c2c1c119f712

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 f34bc69f562a57b4511c9f75e483e989
SHA1 65a65dc144f0350deb6851be57574ed4c3e48b04
SHA256 76b75d0de3c4439cbf5d077bbbd56195954a3b0769a278a56facb5424a259037
SHA512 0e96eb4381d4d4e7965025359d32bdfd0b842f6d18348080e7b8942022a69fdd7b28c84de90a8df4188c2d07ad3f937fae2c64441e645b6d1c35e9386a821543

C:\Program Files\Google\Chrome\Application\SetupMetrics\20240612030743.pma.tmp

MD5 193c12b5ed2a46e4f11d9f5b400b5629
SHA1 0beaa7e300f5187b71d818d966af4169109f64a8
SHA256 011093e221599b3eaf73e7993fd700548b945455392da566cae49f4657bafc2b
SHA512 18587519b2a962ced60dc7ffc0e7dbdd7efc1f6f5eeddbf8b4d950130400c6babac8b2d7c70b0be596948955b3d3c8bd857219ee59c098c1344066d4bc7a1a09

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:29

Reported

2024-06-17 03:32

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe"

Signatures

Renames multiple (5439) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.exe.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hi.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_263.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fa46b59415998d95222fc4088ee4090_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_263.exe

"_263.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3920-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_263.exe

MD5 75769768c2a85dcceecdb54aaccc5c37
SHA1 b96da5e007b3251302fa0268c9a3f178d0027702
SHA256 53c05ee9587e7e2d8e9273ad1adc0fd9dc040eac134fb7067e10ec135e1eaf8a
SHA512 b4fe3ddf6c4bb10662d0c90e0246c854a845fa5c10b55e5928e223a4c228659453b81a6f13480db3b9bf1cbb148bbebf6e9dd3193f4978d82bf05645caeb0e2b

C:\Windows\SysWOW64\Zombie.exe

MD5 c27412dd23ffd2052815ae5022f776d6
SHA1 917aa691150b06de209f65deb9778ab862d7196f
SHA256 c90488eb478bab7c445c445327ec738d3efaaeca4f9700aa62e8052d1f15a4bb
SHA512 4f3316585c3810de1d18b9c4504d196ef15e02fce2dac693713399902c41583499e5eeaa640a4ad87f0e0252ce1ba2ee9f3d6939cd2ec9925df3980c26776c4c

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp

MD5 997c16a162ae1c557609235a037de57d
SHA1 7da50a11f927649936f515089f8d95fd48ca3afd
SHA256 7db509607f46ae45d52b13d7b9456d97f2004d3eba40fb42dbfdaad4ed633184
SHA512 05975f876d21a58f765bcf0c2af690267706126877d39692a528e7e28f6d99cd7fe0d8c3e8da5fc4d611e453b4d628c792a0dc2820618fa1c5500226e3217252

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 430f54e4198f54b1c71425cf2f11836e
SHA1 37e124142f979c9f1486cc915e372126eb2d7f93
SHA256 f00dac4bd4d7180660b71764623c905a22ab0072ee07ed2b557239a22527d517
SHA512 82fd44d2022fc847af5cae9b4b47a7ae59d1e1f78a7bb5599b53eeecf30d3f2ccf536c589311ae228c1dde935f77e28cb1c62d0109756c44265f036899dfb4ee

memory/2680-11-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 da9b6ad300b7009a569dfffd9d919068
SHA1 e660da6d9d92212eae4da7e7512bb458c6838495
SHA256 65b77086912bc32de8c9c324de0d5af70eab36ed1aadbc7b7d88a17c2674ab56
SHA512 22efe5e44a9e399a67b06ba2f98ee2754a67f75da4f6aa1f121ecf0293c2f115ba46cb1dddcf4d8e066cdb0f272276f97f8de8c253cc970ff2a5745725e52206

C:\Program Files\7-Zip\7z.dll.tmp

MD5 53f6975620956695c4aeeabdd19a3a9f
SHA1 c2113d5c6bdbbfa3091bf7d7a156674bf10d6e41
SHA256 3e1e05dcf04a13545741eaab82f595a4e8175337bef3e8205d17522f4ca4787f
SHA512 0a628cf212bae938c472de3b86f0d1bfe4b1bd1603b8d9a1382206be4e627c4bf70fec36263275e597510b9e4d55bbc6883e817d33565597fddf715976ab97e9

C:\Program Files\7-Zip\7z.dll.tmp

MD5 040cf740f3a6c760b4c5702d95c80fce
SHA1 6ff192ac80b2ecd93e5f22cdf9acfce12a566f6f
SHA256 53b756ef13c76b67af150026695887b89bb7656d94fd2b87340c660c0f1dac9f
SHA512 db22b2194c2b212443abd52ee772c923f1d66ff0979b32085d8184f8721e8e76bf5258f60ceef0c352a2076ac5e24bb3b0be4ae7e712239e07cdff6678e884e9

C:\Program Files\7-Zip\7z.exe.tmp

MD5 46d640b4d2b164ca224130b5911e92a4
SHA1 524bbc06c9a43570a353c333e2df797566c50c24
SHA256 eb0c1c8d2b194bc32433c3d05584f3506812e5c0bf5169b3da3fe8139582806f
SHA512 e0d3b90951582553086b73814b783f01743482bea19ae7c559a05bd1313674ba5fa2be5c981243231c9dc58908733f87a995d2459d156e9c04a25cf40056d33d

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 f73873c4f67b27e3b1efdb20977bcf76
SHA1 9c15e89c6a90224bdb9e2d10ce2e85802c7d551d
SHA256 37ff319b0d3728991a4511109e44e4eebe336e06ac8839a099923950d85b68ad
SHA512 ec986a4ae9a655b5ec9702023a0ca48ce2d3a4cc42b3e9fb3fcb3a4676bf23448c3bb3272cde838d6b811655127c3e6225448d0cafa6fd65bc16fe707e7acb96

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 93765feb9ad6ae0314d44586233619d9
SHA1 4a6fb90b8f3abe16e157a25a740427ffaaaeb62e
SHA256 7be9e77217f6803981d05f807bc52257c6f8984f087b8cbfe16206311eb30045
SHA512 43245742ba7d51b44b725e7bb8ab6b5c680c1b145a0961af718b267663146f74d3f28115983e8d7b926893a6f5e113315228e13b033468d27f864a98daf4834a

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 b1dc253c9762e722972c86fd55cb12b3
SHA1 706a4a4bbfefa8275641a4a20776b5b083c610fd
SHA256 0ddfeff041bb2bc3a08fa0b2298f4fc27e9e15ae220e38656171ccc3a6164a87
SHA512 ca33da4c31836bdf76b7e593ebd1bba449e91a26db257f5d628cc029aca2d2e2cef0362c68ac59f8fecbd531031f7e35cf2a2bfb8b85a8306b0ad6f6a7413ad4

C:\Program Files\7-Zip\descript.ion.tmp

MD5 49ac934d5a4bee6417c7df8476f1599b
SHA1 e6229e349717253911b697e3879146b68ae2ce6c
SHA256 32cff4f2d9e30cf0f026f749ff0e672698880c11a185ca831a0147ca2823c93a
SHA512 ac84dd027ab2bc452842359fc2cce40b90764d46eda1fd3441958641cf46ddb22917e54952b194bcbf216cd08910cda0289e4ac88a2642fdd94dfbaaec851652

C:\Program Files\7-Zip\History.txt.tmp

MD5 06d8346c15cdf739126147bd9eff3e05
SHA1 f16810bb214c15cbf97cab3fe8eca91a5f6ba191
SHA256 6e68891e94e09d9a79717afbe52ee543a6d7afe0bd6ccaff7b0daf0585a02f4b
SHA512 978b3facb949c5cba650bb2240ed6b4a2a2134324ba4af83013afaa6e4a5e1b30f2295f55b0b2c3a38799e3a193276b0273d450cd98a35a135626081e83ed803

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 9485c277d821244439cd6f462697830b
SHA1 cf930ec1efd45bc0742d593d4b44fca6f3a2db2f
SHA256 2f31010eebfdaa5a1db83f84b86ea6491dfd1b021e0d5367e92f67e60cafbdbb
SHA512 ca9ab782feb15f023cc16283f7f41b9da7b90a3dace5c07d2b85b3a41187bac36ebcdef7721161f0342fab8eaf05fe2eced9aec780ae3b584624fdedb8c248bb

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 c61e61b693d54f27bc1e911f426586f1
SHA1 f0a8f0cc16e421e995f52d8f1c2b28cba65c12b0
SHA256 6b1405280cd5c96d648022af6119b7ba99132b68307c8351a19da11b225fb7f1
SHA512 0db67a759407f45661e8e767d9604e3fd70fff4f882e77b3f1caa1ae41db65190c3ed11be1166b06fd213695f7e935422445eaa86916ed04fd1fba762d9cc58d

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 779ab472cf891a4bdf30f220f9956c88
SHA1 2917b58ce13f391f8b6df729c59c9bb2d8c90c1e
SHA256 626da9a6f542c6c1ee4cd5fea01d06ba05aa5d058a643b264948abb3f3d8b7b4
SHA512 96439649c3ab4388f408319426f4e68c8710952e85dc8e39083103257797dd0bef19838e6c6f5e3eac9d161ff4f83a3936d35a4cc9d340d4523888b9f5c19f56

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 4a46ad37e077d3272cc835d73d010d63
SHA1 abb27e9208c2856195398dc4592a5c7327f6b24a
SHA256 376def5b973d6e87b13560dd7a9153a8041e30037057650f6133afa70e565bf8
SHA512 663ba0f55f44556f056c6bc65ec64040e74c55c361eaa84602e84a6bfe3db9f8d2244164a22ed51957634f3176356fceafc77bac3ba5485a21f6964822066717

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 35421b65b453ad738250a00f42bddc33
SHA1 7d81cab4e36c2736f75fc11136f33520d5d82fa5
SHA256 3b13be5ec84edeaf1da83f69fd8a1230d972eb5a81fe691cfb1dbab25b29c008
SHA512 3701ceb77d4c4d7d38c08957badaa6b38a7e184482ef5cbc85badaf99e1ec43e6060ebbe36758d789252bc52f10ce03136611d5c66a6f1522b3bd469ee11467b

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 6245ec51ca5f69c9d9d497570fce17da
SHA1 dee7653851bdd4a04b63629c284584eb604bb8ee
SHA256 8b036653b87a4b8443f6a41b7d6ca2cfaeedf273dc815513dd3c2842fbf2319a
SHA512 1d87a0a2b15cacc61911470d47f54d3b13b210f772d154f3b750d566a594539acd0acf3f29e450f78bcea89b40b9c954285cc882dd40afa9c90b5bc91f31002b

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 700253db71dce13ac3f83ed021cd7cb4
SHA1 7bedc27dc040600a8dbe8b93fd900c839aaf307c
SHA256 ad44306fc2c89444d330000d541cd216589dc036f7dfd609db4a84efdec57495
SHA512 53e15cccb990eefc35d606ff9cb25d5ae7993892e29f79cb5e81885e904f61512ca871ab440340c0d90d0d752130f8f31bf6970c75ee97f5073bb76818da1fe9

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 d81398e8afefe2f3362badc03577cb3f
SHA1 17253511e2502671083f695b61bfd70d7f7e5f35
SHA256 ed73f7baed6101ce7dbc765ca8f2c6d87aeec5e654cc06afdc4f72fe58450149
SHA512 11859479329c8d3552a8f85e64a2d38b2521af9d998aacbc84cbd265470dd8b81a264cfa84360907a35d918d37aede95a95c0b7e610ccb832bc9812965d1a373

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 2e9415ffe5bf33549dcd8c820a169cac
SHA1 597b19726f584cf980dfec0f13edb9565d93e314
SHA256 f0c5078ded684fdbba3bcec9b014bf60757ddd65d35ffae2697d969c2be81fdf
SHA512 181314e65dbcb3f16bf6cf5482bd2ca5489f1a41c5bccfd33bc9b79480da0ee3732623be6117f25e14628dacebf97eb66fa4109fc00d3c358f8b091a64f0f543

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 6ee8b087f9fa0ddb70ebfe08afd32a69
SHA1 78ba1fe3af824fe3583510b79ffa7dd848de1ef3
SHA256 f1140b0ad4fa1d1ce5604fb00096bd60a941af5fd6ca9cf77acccf6e808f4d04
SHA512 a1a9f9ce2e6853cfe7fa0bc2bf93b29c26f15d51e1ce2ae3faa71fd1b84dc789e2b4ff383e97745dad4640e9cee38c1824a6a0ca9e223985a34e2b389a6469d1

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 e3cf2d7c7ce3ed842e0b350b3fb14cfe
SHA1 1f05ff7f742944e1ada69549bda6d9b56cc50e78
SHA256 609861c8ddec6d6e718b25f429c21a4b337eb231d58f24acdc0e672d0d688f7a
SHA512 446a4517733edb5043438936cd6a3fb0285db71810a90750fe756c7ae6f36f8bc3658a7b90e065514fc621b4123a3bb7e419242341eeafeb3fd6e8479f0b70d7

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 fa3dfc9d32af61526e22374b36904bf9
SHA1 619e87b6466977c3fedbfc5c62c7eded7aa1b9d1
SHA256 c7a6be9c8ed80897cad2c56df682f7980fb3aa73856838e39156c5079bb2c357
SHA512 a5c58aeb9bfcaca7084c24a15cfc5389015727cc056fadb769fbc8b2934026d7b0954159be21aff1c7e9e0ca09aa57f0fddf19b3c0c4de9156bd8f3eab201262

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 d92e3dfb96aad37a5b6cde6d18ac436a
SHA1 f4ebb33b90c8a42f561c3249aabfe4067f78c5f5
SHA256 2bb5fe954ebe142d0bff81063b146b94f6e7c9e4d3f566df11507b4aaa58203c
SHA512 95f99c2a3cd3f7ac81b5e5869577475fa16fa16d3ed912dd0232532f45d03dee2c249ab06657384719c04b3fe9d1d3959a5e852c95df17b3a604932d94ad50ac

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 91bfd772eb16dd8000ad15887ca421f5
SHA1 d3651d3d557c8b6438ec30f64c6d902048ddbbe6
SHA256 625b47f3fe1d0eed3ce09e3d58db379a24bc16004794a55a74176e5db30687f0
SHA512 c9cc128eb2d1c7e35c3c13d2da45268e05263b40237bb55dc5e09cb52bd91b9fcb983a225a9db753add84cdd376cb4fd6a546d9050f4d4b07a1aa50e6290fb6a

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 f64d85c7dca0abf7e1bea1e9977c22b8
SHA1 fb256f105b25a8d9299e799a27e90c5493c54a40
SHA256 af1283dd0b3a0e080f350c2f5feef0e39e683ee5de442ffc4ea45db180eb8e2b
SHA512 3c8fd7cb30b9c9bad2a2982e3ba979608f923e2a601148b60b5354b44b679d732a0777dc525016287e9faf689a30c778dcefcdcca75d32ee01cb48445265b22b

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 7fd8ee7db479493b934d149fc5038317
SHA1 523ea97dbb53699df055263747807992c66dfb68
SHA256 b6cf5a0c09fd7092331ef89dadc122166b53ce66976ea43a11b05770c5981eb0
SHA512 29ce1bac74c234e51bbd8f90d409e35748c892a5522a74247ca61be96b8d6719df8eb50ea8b463e6ec53ec68cf70c8fabe32d62a412e94e003d662d367799283

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 78df14253ddeaec19b17a8f3f7cc70c9
SHA1 769e285d6796904152450a87a0ae0737a48a3e74
SHA256 c69b73a3038c6d0598b8d8524c33642cc4d8c80116c09fb477f22ee4b5db79ae
SHA512 feb7fcf920e521435714f7ed5ef0e85c8381fc6081199bcebb38774f99af70a0b1d10bb60bda7c20376aa84a44970ee9b873976f27b309b635efe6380a74748f

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 84418bed6ab3e1691c0472737b2d08c9
SHA1 3afd4a6776afd0f09297d24ca874c95fc480418c
SHA256 fd911e9e49f2b32900c260e6b043d60c1aaae5328fe0935caaf003640a44527b
SHA512 3ffaddaac4d3327de91d67e5c2dd8d6c4cfafdf06eeca618293f5cf45601e5bf7aaab67d61976276f93aa99b5fc76ca4a48d318f0443eadab4de0211892d0718

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 6590ea14d8a434baf8b30b75f708b558
SHA1 5e7834f067111770d9a1bf208ea8bea3248b43bb
SHA256 651058bdb3ee394d55575c56dfbecfc37a9a69f397f16aad87d43d77cdb48b5a
SHA512 97fa4cca0850334e2d13377f77791581fb476fcd1d44e78057fe3d813f2464118efa97bd402f9d62ea3475fb08fd1c1993117f7f7e1a7d5b859d0f98df06dfb8

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 a062ca676f848ac6500aa3242bedad33
SHA1 514b542cbb97a1c919c8ad93b12888526badf2f7
SHA256 2b4d0e4bc7365156d613d04c2df9b932ee766bacc6ebc462df9509fb4b886fd7
SHA512 4046c51b9f4b02d6c90a9e7ad6ef568a661db954367d28889a2555e4cd3f1ddc95a5250a41fbd7b553e384a6011c69b3f5ed717de52d25fdde60ee67d25d1e1f

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 ef86ca97bd52badd25d121c0fa233866
SHA1 6571428af544dd5bb1bc48a34d0e346c8bb46769
SHA256 a1c2e5bb180b0e35f41b61c3a42cb2ca0275b57ce578d7a001879fcbedbdfc1a
SHA512 ea907e9f881a54b2b69bd087658895d5cf2489b4b1ae2ebc674154197cdb5025185810cedcb6a39e42bba3a9b91ca165d9455b1ed6c11de16e6cebfd497e7bb5

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 9294ac5bcf24531e57aae4162c1ff7ab
SHA1 26201d1739436f887b4a0feefc99f5cb5f9bc7cd
SHA256 5298ed5dae4a2d367bcdce5524a5449b5692e6ac15a8ef4e782c04c5ef8c3434
SHA512 d3b3224d28b2694795de71d0f4989173e781149a812a20cefd1bb41a5ad61e72ac2be135f754f7cc36206040545e8a493c01d6087bd4814aae11e11e8564424a

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 47079969a06407b0396acc8c14a4639b
SHA1 b165b12f03c3255d93d4d5f3baa97fd6a0e0eace
SHA256 68de744573715f7d974918d9d38f93fd097a39a11088fdb871bf0b0b70524429
SHA512 eaa3becf3ef5d03e0e5ef478ac3220b501cbc961cd8291a91153827e994b2a8dfdf9d26fc441a2e53fe4fa5188e0180ff479da913db4771fa7aee23bfa4e09af

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 84a3754267f69e3eb075035e892ea12c
SHA1 b7cb14719d196c16692cd8e1f2b77f35f18af74a
SHA256 a89a5625add2e2306accaa9c02c83c1fb61bc176ba02dcdaf7aee00e6076ac7d
SHA512 0f5dc05c49e48ff5b2dbbc81142bbf72dedb2eb0ac65f67efbbb399b9e7f64eae86dd72356785628fd9509d963891b80f2df4df488af2cb81d458477d5fec089

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 6fd1c1442418de49cc9049414e83b355
SHA1 1e7feadfa7b01ec11dd9cb892bf2640c08f28a9d
SHA256 4e4f108a341b41c106bd21f2e6bea921c3fe6fc84bcdbab1d21fd989a7a17cce
SHA512 e48a2e2994c06eb9a32f66e70649efa63e24cf21aa9121f5f504197b6ed5627ad3a9bc9a63187fec0027c6c6ddbfb4c2902e1812a153de9d7be4c40a939d6c65

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 2d18be66494d9ac4a512018290f7e7ed
SHA1 8364fd112deff4a904167255008260ec0681f8fe
SHA256 bc7091e90ef7c1319d41aec7538303144805a2fc15321c2a798131001efc54ca
SHA512 e92f71053a44e1d376363403d86c04e63873d01b72f5d9ee684b0ffee0d12647213726c7019fd1fef7395e9c8452fad3c4432070137c1a8b8aaa706671013711

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 2344b860d22eb428616a09ee433842ad
SHA1 eb80cd5af24619ba2b5c8e5df0e26bb402856eea
SHA256 cdb593a08fdd83abfc2ea692c0c3361b91de5878f500514ee8b933c4c449549b
SHA512 d48fb37af2e65cab609b349d2bf911cd8fd3bdc7f7a620701bd86e08dc28e8d3e64286c46cb789465454ab791cdec0bbc4af1690b1347b6e16ab4dfaff711b82

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 e651363be81b2d9ef66e1890dc040c4a
SHA1 6ad45e93178b25c79b0804257c5dffc4d97e3919
SHA256 41d99751dede95d848422bbd299feedc3da3805b9fdbb5a34d52e4619d7e22f6
SHA512 cbd2af5be34c7d2a191d1c70b91a77fc3a02a166f2721b61038a8b951ff280c0e2e94bca6510d592fa764c83be42df9357106abe70107beef51bf0f902bbbf97

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 38ae655a88daa5d8b7d7b22d25e7bad8
SHA1 f0a965a0217c59796540888937c3cabe2bd246a3
SHA256 8966b8a7de6053d3323fd561a66fc8c1ed1a06fe3cc7c2af67e40a3bc4c8dd2c
SHA512 51da135e1fcd1e7b60fd5457b796f27698e9a4869d844dbcc8ec2aeeac5b500f52f3b924feca4a0223629759801f16854c591e59f414ec3a6615f8dfc9b49d9d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 2022510e18136bf8b9ad468a70e2c8de
SHA1 f909c0f9d2f9070f3170b0399035ce1f9801d38c
SHA256 b8fdf52470fec5e61df7ac3049538442077f72d0bbc3df6e66bc3e8847f06841
SHA512 66a83b9cdf813a078f291003b206acab06587f00ff515f41207271762d55974e8fe4f38294cee084c8321f5faac2b8b3b007ee6619f6719a1632d48a75e5e4b5

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 abae5f0c2146538233d8789dfb272924
SHA1 2c03ae1b83cad62194f7650ca68aa60a768140ad
SHA256 66ce9f6e889a60402d4e26c8e23944fd3fb112f42874263d3b4f917a70df341a
SHA512 757a865f9c14e43c03d48d52c37c3c4f97fb38df86ab1a0ff20099bf317dacf003e3336d192cf71d0c5393c059dd8d3be2c459daaf0139a504b7de2a28873d45

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 140e3320553b5dce51c5f406f665b916
SHA1 901edccdb944ed76034ad9b304487415d3dc6a95
SHA256 ff26a3caad568ea07f5751deee2dbbc7d97f0abff1062cfdbb20b17bf32c714f
SHA512 54a468ce9e8c3eb28e192d31e30a2c6344ba857f0c3acccebbc314183c422d95064b21b28024ed9c4f70239c48f0b3ae6d4d551a69f8e0b1d9fed9cfa0dbb261

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 abb49b22217beec283da242ea14ed175
SHA1 4b69a5acca3a68556effaeabd0b37504a4ce2d0e
SHA256 56c841bfb5508c7cf1a8cdde9bbba118f94a25f123d1f9632dbd4cd62a9e2ddb
SHA512 39da6399485bc69a53b178787bdb855b11e208f4bd11bf2a3dfced2e2f14eab3489e4e1c4de26bba906ae4ffab1b762c32d57b74cf879a309c6f91ccd6d858f0

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 d30fac039f5b002536acbc5d2dabd742
SHA1 136fcabbce8a658605a97a49ccdc682db227d94c
SHA256 7ae61e1ace07fc2f9c90dc38f87077526357ece3734755dec94d4693466c4fa7
SHA512 9562de1600a7cd303fd116de5aa42b92e9aae993585f4cb98d33a6311f4697bc9a2f443d237d655719bc8922e281e8694c83ddf3fd753605e58102dbf6ad64da

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 02395c07bdec6efbcd9bf20e7ffb8f0d
SHA1 2add9f6d4f96dc64cf2d68975db083bd4e58f992
SHA256 ec7ff5017f708ccf5a08dfdd57c9af544a6ff1890970e1d6678e372ff8a5c41e
SHA512 ebe3df19c0cb0e0bdb5c1764726c1cd7dbbaa5dda1c66fca5564b3668e576cb4e160066b3c24df0450190633834e4c0aa54e1d2aa97e9340c4f1bbfee2c784c1

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 67570bddcbaadb58e699f4ea0c9ab14f
SHA1 87a8d229979953c4bbd6c8169db39aef7a89e4d6
SHA256 803c39ff2cfa0fe8d0945de074755cd256d0416788a005bc3cb530f39602812d
SHA512 43ded2875b90ab09cba6ddef2f93fade0c9f15ea58911a3e249bddff9a3a14d92a3e76279e6931e2e74b350996cf9f010fc5159da5b765499f4e4bc37cee8600

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 94f2344d8ee5c0e6ffa8a47a0ada12cb
SHA1 2f3bb8093a825a2cf2c962c751df9cb9ef863fff
SHA256 6d5767b24d0b7fd4a768852108b99b4f560bc97992513c822673f7ea8cca39d3
SHA512 3d9bf92a07e13d6672632fc93d6f7d7dd09457bbd36985ade918553659f4950d6928ef1b969ba2e3831e253673b581f12196d8a29a82e0fd763a67e45015301d

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 bc621bc5d6a55faac423995f621c1970
SHA1 64831f1b82658433dc1035299f9abae1b9803670
SHA256 02ebb5fe96a464340ff741142f8ce874a02314a24e2c34206d014e5192626cc6
SHA512 1e4a93807ce683b6f808b4b0f362af0de5d23685dfb1e10776ac8931e0becbb03e88e0bd196e7afd544be1ac642d59633c800539663018fe5736778925620ff9

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 a0b15eaa89623f80bfe7e388c350de35
SHA1 9a9f9de577b2a24521f37c7cd3e85abafa82407b
SHA256 137269c35b236c0a051f1bdb21f39053bbc0c8047b03dbaf2119411d0efa41d8
SHA512 9cc3bd7ee247c9d78379e728db700bd43690f2dc8c3e007e1ed4161ee0c0e4ed27981b3ad05e324ea8bf6e063c5272633d6100d8575f5f4fb4d54fc1d6715ae7

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 4438554aa98d0f1e3888b03abb3bfc69
SHA1 a45e8204b40bcd0bd8ccd80c1e57bc0cfe5be25a
SHA256 56df03feca5679b18a3b1fac2716ad5fddaa677476ffb863c904578f681e7d25
SHA512 5afc9256b30d081e34abca03c2eaa2dd7e9b951e22ce4b908e624d7682778149ed8560aef4d439bb5ecc28248134ca5118e21d670746c63b74fa719d653d2143

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 20afcbdb127457914daee7e13ffb97b4
SHA1 524498ba5d53f48241bb21010603b2fbf1afa552
SHA256 3fb243b28c9b71e26469609e45f1a82539b83e65e523c638d30f4c4bd246a50e
SHA512 a37f95141b673a811dc13db537fa37c0e26e253ef2ac635367a7134c8fe516f84eec341d826f0a36f8edb431282fd2541b1b98bcd21314fa767e20c29c710e87

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 5e0a84fa751f75b7db91bab0dc9c8a82
SHA1 3c95563641cf5b614135971ff0cfeefb5291b7e3
SHA256 f6b89d5756deca8a2c6b01acab1508aea0215fe2d9904323ebeaa33d47f3b3e3
SHA512 39cb9fe0e755d3285ee72e5a4657294e6ef373d07d64048b1049123b1246383703a7f0c33aa593a11de9208833ece3a8c26e69d287c3c5b5d54f63ff6e62e70f

C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp

MD5 1ee2b37bb653f4b1a54bdcff159d0a32
SHA1 af76df2517de0aa0e3ca31bbf46348d2c7195063
SHA256 57a95963c9b92b065ff70e3e46771cf176cb5dbdf1626334875c3c97d441ea0f
SHA512 876eb2b4dcfbe02cc732768d98b1144cce212313b623b2b7020f74c7f6f1308c4dad642663077233eed40d6b9ebf69e96331541ef729df2035a7c2f3a94bb879