Malware Analysis Report

2025-01-03 08:27

Sample ID 240617-dfezhavgpn
Target 3afab4af1444b783803efa519a103650_NeikiAnalytics.exe
SHA256 20c095fa88b3afc74c1d8130feaacdb3808224f27a3e025b76364eefe821d2c3
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

20c095fa88b3afc74c1d8130feaacdb3808224f27a3e025b76364eefe821d2c3

Threat Level: Likely malicious

The file 3afab4af1444b783803efa519a103650_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4706) files with added filename extension

Renames multiple (622) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:56

Reported

2024-06-17 02:59

Platform

win7-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe"

Signatures

Renames multiple (622) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Eurosti.TTF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
PID 2100 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2100 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2100 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2100 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe

"_Get-AppInstallLocation.ps1.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 0381f5548cc7a30d809cd4dc5cbb37f5
SHA1 90c85734ae4ac7a97fd7f2e40636edf04da367ec
SHA256 c98d5b092adf528b10ea00eee58562915e6ca48109528954e447521ff76a5e1a
SHA512 081b7a56179435cd015c41dbf3e8d9feda7fced5515b611d37394950b303e1d90688a69344d36850dfc82f315eb93d42924677723338ac7719d828f7f17f2284

\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe

MD5 db624ae16b59dfea5f80e79edb5ec112
SHA1 720975fd63f7638cb71dfc3a985f95da30a3763e
SHA256 75e2ce95b1ce5107d6bc95886fdbc30c44b903d8f41524aef6d45b1cf9694673
SHA512 c160d22512bff8d8ca4075720c21f354c8bb702d6db3d5e973681ecdb925bdcea03123f665fcf516a2fe88c455ee1e47d5bbeaa2b32eab00f078118295ecb17d

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 862aaeb9cb173ea9e47fc91109a2ea90
SHA1 eb061a999d3f52a3d61404e286c5fe07cd226845
SHA256 0fc052ee90a469162b6d012759058e6f6fdb31c105a3b390dd9001695830c543
SHA512 cdc8762819ba635654584d86e8b21bcbe79c0224c097e62803930e5efe7b605572df0522e02dfbbc6f5e180a9d5210813652440e8e0b62c610112e11dda231f6

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe.tmp

MD5 5eb434dbfe910c258a5c7fb0b9575198
SHA1 337b4ec70a1984dd3344fa515c985eac7254f5cc
SHA256 23f36b830bf471ba63f83576f5247bc9fa6da4709fa1b35c882431776afa9a6b
SHA512 fb5def689810504ea613e033c98051d23946cd05908167d8273ee7ee23ae1e8d98a5213d25af5c0c46232550fbec99f9a5fbb13da27f5715d1f0e985e355400f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 a2c50a3c3754ddf71aafa870c096762a
SHA1 8c94b10a20a0fca46312f4a101c745f810556c52
SHA256 29b73b61319f2b3f4f789f021159cfea1da16395a54863dd7a084dd13fcb50c2
SHA512 9d10c529a976db18aa6c48f979817128f8eadc0260fbec3c5f4c2ed0c29eaab3d510c4d9be715b477e47804497a4bcb54cfc94972d9ab6dfafe837c197a017c6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 00467b5ddb69e8a89d7f3a6c90360c2c
SHA1 35d826c02472e1bea7a4023345b1c2145c9d7fd0
SHA256 1b8f6c6cee7cc31b654a3470ad9aecedef5d970f16af9251cd48fa9fda6f8316
SHA512 eb4b29654899fee0732c10ea908e85710d83c946dafb7ecfa5745d0a4540d5ac60b2872a8a368d8281e758b32e32e5db0db7c099875860f7a46f78fc2a249a1a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 d617ee95d1bfdb4b05a76136c8e0c9cf
SHA1 17f228a40ee826ae98c18dae6ecb981265b0318b
SHA256 80f6fd4c90dc4b533c64199d1f5acd2500eac81eb437d397e5fcec4488ba116e
SHA512 656323d71966b5e68a085f16a996c3f86b02370fba881937be5666a4f49703eaeb0fc4b394f92c9c9c17ad810ab2f084d545c86ef7f7b698f8dcf7e5dc768232

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 cef304be2df1ba96f5512501663bf43c
SHA1 797643921fb3825d574e80dc08b8aa64e6fa2fad
SHA256 bffe7425becc288bfa27ceb272d837445e18d71a5eb0da7bae8fe5311cd2a9b4
SHA512 126746f258f56554b25017f40533c2d4e132f183e02c2d99513d448a1efd3d5af886204ef7b77fe9343531dd30e5699c2cc9803cc5fc9c78e54727dbf7eaacd3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 a3830d0f74737fdc079a0b093a36bb3c
SHA1 bd093c9bb23cf1e7496f90aede386697d013bf10
SHA256 df21859aedbafb030758be0bcf8462f129ea78c2d68da9c3fda5349e545fe68f
SHA512 cfb4d216e9f40d344ecf9b0f2c9e316ad153aaaf08c162cd43021aaeb258f26e7bacaf6d31d6e7d92fe5da81ec64862183dd4b566ec3bc379d1ca5565d8aaf03

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 a4e976bc771b24a618700661c3fb1623
SHA1 fdbc4b57beae038e5e1874ed6dae1560240b0567
SHA256 e12eff775560d36179f76b08fce04ce9be05277de5afcbc1ac8d15eb55001c86
SHA512 f94221014187f1779b021ba6a03a6ccb3636edbc0906985fe15641a1061ade1b39f27d03aceeb220e83d9349910bbb2c8b0c81c2554f56e6c84996353b5679a0

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 90dd7fded07ed278d4317ee0b1c08532
SHA1 ebb7dcd25af91cc1991ae4f31a35cf3c8f3ace42
SHA256 9b46ab44640bec2af80f96bb9382c94508d138920bfc46e17c11d75cad13b264
SHA512 dad9220c09a4c3154445b902d16de7367df2602ed098bf30cd459a6ce3fa921d48a38ed0cc2172d7f1b50f39d4bace50be92958483cf4ba28d6bc5ec5cdcfb13

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 db0b546796a9ba13a991cf8ae0255db8
SHA1 47d7243f5eefec370950c2c0515525520d1a536c
SHA256 df31f5aedf0140e296005505096f1f38dd1ba0b88db06754d8f169fbacea4f2c
SHA512 bfa89b9f43a5a3de78a262a5a21feb65313ee1dee1bfcd33b0163247857d92b51f640e8608a381d5c0d22eb4577ae742636bbff05da0f12599252b266565a576

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 3c37232c983c0f47534cc2f1e1791fc1
SHA1 0e8f73fbbb4b92a23bcc7aeb94cd40fe4996fa85
SHA256 d77e92812d4eeb01247b3c105c7c06d61565b251bcb6f1c02f56f932d35180fa
SHA512 a922fc1a27ae929fec2d5ebc4dd5ec49d9285abb1ce997f4fd0147d80373e625a19a22d3ea38a58962abf20dd4839011bd740d51673db99890e7ffc2ab28a8f9

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 70c314c87d73437b1772782aab593576
SHA1 07be4d2973b37e5d52d2e34a8ecb140a98b9ac6b
SHA256 8106b42b1a3c73c34dcff133e098ff193858d310294d2210cdd50895d62e6ccb
SHA512 b44132b80fadec6c129828b73a9d76f85e33359b822185bbcd57423a6dc8654b80eab482b57464f4cfd2b33266e85a1a3491cca5d865d0bd261b1c146ff4bdf4

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 5529997559b4f0802ace709b536c6c03
SHA1 2198734c0138c4777ec662afebe5dfbbab646e81
SHA256 e9bf257b88155d19164829444139d55138a3c3b22da125e2b4552101c898ff54
SHA512 cb82656803b1165f152c6e03f232eccd1cac38b613b8d3d22d188a86bad0c4cb90bc38ec8f8c40ac73ce1676806cf62c2a52d90019b26e513be44e5b92b253bd

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 9917da092d7c420b3b4543f6080a37a5
SHA1 36da0fa02d4b82386d08f6310d2a46887076a26e
SHA256 559344d6e38a2565bf20cba9ab582ea59091c8a0f1b9ba25f1ecc6d01c1bb913
SHA512 cbf706f9501c0fefdb4776748e1a716848513d58ef5d7abb41ed6d79ccbd49ab8ea8df7925199d5d0de8d8e0775ed80c2158def349915432bc2fa012cc9d2faf

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 775babc9a30bb9d04ebe6e5a1fb96926
SHA1 75b314a6f8c2a6166af98862f97cfc8439acfb54
SHA256 d6c0876a068f6befe58805384ef9660eeaf35fcd69d6cca4bb8fd5a7a9f3351c
SHA512 c0977310a0212fbacfc193e142e61d1c97e9949306e3fcd7b265f185dd96048de090820fd53dfea9815325a55fbe3e912145e5abc2603d1d69b701709abe251c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 6ac3d093243eb3a9d7c5dd75e69e2377
SHA1 583ba997ede76f288f4c1fe7c5f789a740bf2db0
SHA256 2fd8888999e92f455d6e80f1ed46281fc628ddaa785ca03ce3d126ae58904dff
SHA512 6d28065a16ea9f7c679bb1a645e95a961a61bb22ca268c831bc67a66cbcb15e6b88d298c74db991d10f83f90ae905b205651a7a1d5383a6f92f62ac2a90cc4c8

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 ab9fb2b8ff37d8131bdd3487287dbc89
SHA1 54ea5ece7fed42dd01d4ea4e1c7602fd451e7b04
SHA256 431cb5bb8c857e8fbde39328bc648b28c6c471fd2e13b0c2883dfed37b95c827
SHA512 8a92cd01bf6c099087542575950a2476288f31334d733265e4646ce0f6da34e813d049877a300dc1e4adf13eee502128ee0fc254083464bd5fbda46c6c9c3548

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 988ace954efe5067f39cb59403c87eb7
SHA1 a2c1bd7d50991bf978002c7f5f0ec9d61936e2ee
SHA256 fa01ecc78e55a37fbbd725e37ead11ed863efe6564e6e86832cfa3179ef0ef61
SHA512 ebdbb6e2fe08e2b080d3d3e595058092b7c9aa1274766f50ec39112d293aa5a9dd912f36f4834aac304efaf54e05cc48faa36a40d11c1a2db52ad139b4de5843

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.exe

MD5 77baf665c6e49611fa0d4b66171c1647
SHA1 1eb5b2fdb05941c516396e5577db94f4112ea51f
SHA256 5e132910a810af19430ade38c3e9b1c1c5b34f5271f486036ca53085331f1b89
SHA512 d45216b70ddae9346166e5310b00e028ba7ec6e7a59ab066892f35be8a92c6cb0081ff861114ccba03e9bca32798cfe53d7c723c59328aa68202b52e3e2472e6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 a171d7046ab33c7789948ada7759014c
SHA1 0bb594fa43d3d660da7e53709dba37da8d91a485
SHA256 ca6f721b6e11e481319b9f08871d1e925de9bbe977adc39a2d860e365a214919
SHA512 bfd235f44b3ee53574814678b62a52d763308b7dc95f816d3ce3ceb0848efbb3796d5ac79220fcb57e5aa159932aabc4710423ad1058beaa462cfb8a5090e707

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 9139b7e3c59cc3fbee6d9b148230a48f
SHA1 144a2238881a727ac70eb764275233060cd4e3ab
SHA256 ca8cdaec0b33a8b07c6d2dc31d47e6af82e708ed7a1bbf7c67c61947160c1065
SHA512 1fedc6e1c03481df343da833b7e60224959c203458303f68296c65455dfc47da5a456363be64c20592598dc2c9374efca685af6ac9bbf9cf9d6b4ffcacda5503

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 55874d350b75c80465882995d86cb1f2
SHA1 4ee93e38b2c99f219ccf8ca0f989c6d1216bda36
SHA256 1b813033ada469b043203de053b7c38dad185f78f65ff991e5dd732a70a7fea7
SHA512 7e9abc03c2543f578636e7d93185aa7811276d8a8148bc1122e328f133d5a7c4eda22ee71b204b5437bd23fe6da43cacdc95fe8d537ac855bea2e63915d96748

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 7828e4878db981f4392f60ef9f68d072
SHA1 5a9336b37b47451b7e6890b6605b046bbe27c1f0
SHA256 1ea884cbd69f2ade77812dc1278676e43e668557f25e251fb09f64f50d52b7f7
SHA512 620267951b7ac48675a58a36172bc3e48523f9bf6376750478cee3c96a706821647448df39027bdad06237b2d361f50cff263f1c0ed04e82ec2e840171af56f2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 acf5ea461e888bad02ae9c5c72b4a23f
SHA1 7af979b231d78d2ee9abc472feafe47cde295b01
SHA256 9ea8268b055169406fd5cf0020e92a5fa1131bcbb140367903ff9e16451fded9
SHA512 42280b988b8955309ae238884269567e0e25d0906b91b73d9fb53f23df596ef6948c7d5f962eccccc16f7fba8c1827b21e6f2f67cee36c388602a09c6afa39f8

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 f0c858949a183881e6632ccfb95324e9
SHA1 e4bcb9c5e5d0789669839734a254962cd0b07e45
SHA256 927aa2d980b28ef204bc902915ae499092b77b31989fd9f4240f92634ec343c4
SHA512 7824f161d01ea1d2fb8d4a309ca59a9039e3dc97ae2a1018ddb2fa3a6302e09c9e40ca89ce15cd99f83e62a875761585bf11329637d4c1e168df16b0aa6bc813

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 d9e2dc133acb9da4829a93b3158b9e7a
SHA1 22f4cc146472add92799080a084c33aec3791ec0
SHA256 65d9132c09c1b0342a99300512fb940cf81ca5165d931852d1712f079d56a6be
SHA512 f797603a418e030ae4f0daf4d816a4d7776301ee0383037284803e9b7bdc27cfab2e071c7954918438dbbec594ab0be6da99511ec2b54223f5d2b528392c67ea

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 6f54ff1adf56a5c58c73249e1fc92709
SHA1 0dd6e7d7f41cfc64f8fbeb97df222a73a6a70595
SHA256 3fac0ef0e265665e7b5ccb05818e31d3c05e34b33c1942179d29b37e4a7b64eb
SHA512 f8a73b2804a59afe4b037731169d68b6e423ea36af016ce18a6738bd1bf4645f9f397ac1dc25e2a1dff3406feb023ec04c6797909659bc24f4b7c362935ae6f1

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 10eab1d44275f5f659e188f94c89840a
SHA1 3cf450c9183dce41f85dbab916924c50c063dccb
SHA256 f69e4d4dd90054887f57df2d78969cbcedacccda3ab78b92d86426497373e050
SHA512 639e5976604e01963a1633055c78e6a69f02f8b442f2b80685778e556e3ac054668fdc23b042d04edb06ccf6c29154e4501cb119fc2cd4edbff964494bf39f0a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

MD5 ef80f56dfc60f9ad057e3bf1a019d371
SHA1 7d0a83883590a84edf1763a3476a714cb777cc1b
SHA256 55e9307656e1da6552f8a3edc16b761875fa944dc0f610ae6b50362a5b0b2129
SHA512 2c6beb58ac568693a0cc86105a6c0a954c58366c36d49c0534b1716c8f29d5a53b65f01efdc749f7123f8592665a7e82187e7ddb1fecbb378a521ca8bb5eba55

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 3350cd3bccafdcf40d87bf4af06bda47
SHA1 7982d99551ff1530f6f6a958834637e62cafac99
SHA256 36560bf2947076158068fb9de2024c80097c6e1bde2ecf727626bb9830ad6127
SHA512 6715a6bf955bbcf5543d0ee392ddb8744300258d77a4fd555200ac91410e0facdc43ff2684d9c095534e3a198cae9898005f5b5e530906704d0f9e3861e64191

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 579f8f612f9df68d8f673e8307868b0d
SHA1 700d3dd17d6a06885f37c111b3cfacd9eb74756d
SHA256 e74c94dc178627f4bc0d6b852b2a608f00e20b9b864075bcc0c73353bd3a1dc3
SHA512 6a85064da1e64df381fcb60483fcc1e82dd2b8f72b87d7c2f492215325e68c9ac1bc1400a1371f712eb6a676700fbd0e281df2c9540b8de017374396c6bad812

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 6ea9dcbfbb119e2038de954276b72eba
SHA1 bd8c066c6c9af80a698bbe7a0e103d21ab9baa6c
SHA256 e1ec02191cc712b284bf5dc2985f00747162ffab03b2f7c50f5e776ee8754f97
SHA512 c18ec55ef996e15011ffbb8d3ac7cb5a296e08c7b2e11ec999a48f61a13f6ad203e9ba71695c7d8e054b59215e7fe1cd491ad2a018c6c2bb0c55914177b0c2e2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 b3701b56aa70c0757a14a9e11793a9e3
SHA1 3fa125da082d1152ae0e33daff5ec3bd2c9f1727
SHA256 30a8d3c000256bddf8f1ad54f5b9be0f123fbc4a895e7dbfefc0bc56792daad7
SHA512 06be8e16e3187e3cf27ff52d44992e8d5babc384155d17cff45a4491f6f9a04489e1e5809b9f7a12872f4cf21e1afcbe8863e7be7065bd364d67a6a30196efe2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 be4437a8d0846fce89f607703b61bf75
SHA1 dcd614a2ba69a0490f656da5713486ce09af0825
SHA256 f2b88aaf250cf7a1d8b505da471b608a2e25e8960df2f824284630458b89a509
SHA512 5291bfa6de0456e17e49cbdc0f51b86fbe1ee20b54a4435e81362360a9e98495221a5d08c8ae4fc2cfec518cf8f1009af8381f05a6a6123f0fe3b43197cc48d9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 ded509148ec2540f17630c5489460827
SHA1 a6f35ad744e53952eed33749499f2e58d7060141
SHA256 46e785f571aa102cd9fd3563bbf73d008a2ad59bf597d3b0200d162bab0c4a51
SHA512 8835200063636dc4b3e863ed5668fbc63fdbe210a7a7c390b88a997c82571d70f99c698ebe0f7f430009e9bfe4433f27eea808069dd8b9954c81b91e65eb78df

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 9f9699c9fdc6b3df1acb54eeb4089d60
SHA1 fe3ffeb426ba361e085477dbc77ff45f8fe5dd79
SHA256 704c58ff6257852e862334e83bfae6e9030dd3853e8377eb24e8a8078065b977
SHA512 aa2a1ba7da35c26a1b31ad302805c718cf84d968815bc9adfd0aa5edc044bfd84082ce44a72d841e261f0d6551167d83791bbcfcece1a7d625c068b01a6d3d6d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 ea86b7202724fe53ebba376514ef5376
SHA1 22b6f7096332a079cbbf870fc0f50b40bbce0904
SHA256 781d3237b36d5e68425305faf63b0ca05aa298ef3c9ee91dd476d1820d46fd86
SHA512 85a0cb0db536e69ecf27687b854cf374cfb2ff6b6e839088d58498c6f5c5d6fdaa78cb06169b4368f9f70cb175e5c805f90d436298ec2a4e76011c51de4fe54e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 fc1b11f1b429db4ddac36cac8240d896
SHA1 5011b631f05381ed537a59c6c71cd044b361813a
SHA256 cfed28e0fe7f228fc5aaeb5f6d9c7d6465d8e95bc56c2c97cb4a732f9b5180f8
SHA512 3b44222cbfd7b61af0fbb7bfe48eb20b2b7794159c2a50140c99b763d4cc6ce8797da566ca3e2361cd7c644a722ba6be6c563d686cacdaf2d11c2dfc38604019

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 4b6f15de5bb2ece8c234e5b98d282234
SHA1 523ea11ca5bdc66d18763bdd261af35d52629ad6
SHA256 570d1c5ef996ff20a11b5f88ffbe2403d5bb55976b5de7896e50a26c19c65e4c
SHA512 d2271fa02cd890f42046e0c1a22b87f7c2f9a8c78eeea70d6e88a5320e7c0035714f40300e4adce90144433a871a61be1e18575e9901b65379abda9b436bc071

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 7ab32c530ab22cb91c786406ad5c9e42
SHA1 8cf0fe4e3345692132868f5cf8e268f7ffa02e0c
SHA256 2e18f727709cc852f29e84bee75e9720c8f6f3f283d9784a839ab9069a73b778
SHA512 078a18851a8b8e56fd1383002d91e68e8056a06b354528be493a0d436dabad2055c9bbcf85d25ac7fe95d9d19bfd7a8638c728cd2b864020f51046144d61bdbd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 a5f39a96c4c198d08b06fd661955df05
SHA1 06ee6d8feaa5f0d153190bbb43042e7398342618
SHA256 0e935c979b8b2f731b005efab15a882440d6668523f82b1be520dc7b14efba9b
SHA512 e9ce55bce3ff4c1295397a990769df299c93da95e38e3c79623505cbe90ec3d570b31fd482d8d0cc205e413a7351227098c1f8d02268d8bcf482e10b0496bce1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 d95d9d695a0b7b8bf4d5cb41aa3ed778
SHA1 d38d82fcb0d989bde9bb3c624716d1f36f2aae46
SHA256 80d5e7314e0a3faa75245f406c75635310a41b50025060e7a12fb5226e27df57
SHA512 2cd204c7c70c1b934d957d5fd7d15e47253582b193597363828f8acdbd08d35056584ef5c30106cf9bc613135758d69792e8dd176124c628ded272fa8d49e43c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 7c47eb9d36a10564b896e07cbd94743b
SHA1 f2f1f14ca34b44e58f752eea76b38da6d9aad8f1
SHA256 e793506e989c28264b7a5b7b2f37ee8f449badddc775631f1555c0d9b22754bd
SHA512 ef1a90f882b7b536ee681295c48ff9c5dde626f9773df10301c55db0d7481d924f0157d00ba120477cca691dc0146e99c466dcb52fbd3d30ab23faaed7721524

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 cc7ae5dcdf6f630e7a0fad3f5a0bbdc4
SHA1 843285692facc1928fb75f11be08c1ff7d4f4384
SHA256 f1c1136edc82edfe6766b747b59f6b54f10190ddf615c162a256c6559fe96bbd
SHA512 d23e9701ff8efbca258daa2f837f31e6af0c18337dd031404a2621bd7c0373edae609f5abc08e56f7d104d1226c9ad5d3d439a7239bdbe638c19b0f8aa5b9cf5

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 9fbb921c61aa8a7117f96e6f496aa1fc
SHA1 8b9997c9737b55359fc191a439d784c81a6e9c89
SHA256 f645e037acfa8a856c183f8efaf30fe5ff90f10b0e4f4792e1cef35dedef63e6
SHA512 28b8a566caabb50f9a12df1eb13bbbb86954aa09ff851fdb70d8782048d72560e7a077f30e2acbc1037a9c61e81a889125b2b44eb44e7a6522b85a13a90a416b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 f863b67702a733ce1f3a8c4ab3997930
SHA1 10f104d0becc3a98d084df2dcbff915fb5001000
SHA256 48e335c8a92338a0467a021bcfd516442fa4a28c56bf3beb48e205b2b126e977
SHA512 6d7af0ec349778eab3db71db04f34430671a1f888ea307dc1b94dc0b946a6b8d89d9356e02f44333a4f419ecbaac1df9dbf280c6fc5dd86149af28c326e7ca39

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 9beebc811ed477f9b35253dd7d4f7efa
SHA1 ad83d0bb8fea6427126a5d2e965ea14d2c979ab4
SHA256 109c3b0d4a324dfa15720e25997a9c782e6bd9c1b3f125278e3f3645121053b2
SHA512 a38afff088ad2f2dfbf046013e2405ebd910a21f66da9ca3ae470e62055e8d0ec892a54192e5c9f47a3b8c153dafd7ddca47b6c4e0f24b55f366382fd2fa4dc8

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 540428007e0bf693f4d8f45568579afa
SHA1 ed23eec3e6830010ff3cff7feb01a6621a41185c
SHA256 45d8eabb17dddc14802ccb02ca9f3668190a4d68f5e0da55cfb57133d606d23a
SHA512 f6d2b6272558815ef06f85ee393de910f8d9826c02dce5715ee6e70490a5cb335d274cf1ca4fd5deb131f6a781df4a18382c31b84c733f58596ca7015597bf79

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:56

Reported

2024-06-17 02:59

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe"

Signatures

Renames multiple (4706) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3afab4af1444b783803efa519a103650_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe

"_Get-AppInstallLocation.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe

MD5 db624ae16b59dfea5f80e79edb5ec112
SHA1 720975fd63f7638cb71dfc3a985f95da30a3763e
SHA256 75e2ce95b1ce5107d6bc95886fdbc30c44b903d8f41524aef6d45b1cf9694673
SHA512 c160d22512bff8d8ca4075720c21f354c8bb702d6db3d5e973681ecdb925bdcea03123f665fcf516a2fe88c455ee1e47d5bbeaa2b32eab00f078118295ecb17d

C:\Windows\SysWOW64\Zombie.exe

MD5 0381f5548cc7a30d809cd4dc5cbb37f5
SHA1 90c85734ae4ac7a97fd7f2e40636edf04da367ec
SHA256 c98d5b092adf528b10ea00eee58562915e6ca48109528954e447521ff76a5e1a
SHA512 081b7a56179435cd015c41dbf3e8d9feda7fced5515b611d37394950b303e1d90688a69344d36850dfc82f315eb93d42924677723338ac7719d828f7f17f2284

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.tmp

MD5 6c2803f8fa73c2d453d83ed9bb0086d2
SHA1 fd7b255794d084503949471cb3eda82d2dd393e0
SHA256 6fbd2d033d31358352302a1163183379348765c9e93768a70542b8777d769829
SHA512 2475095c02069f11d5dcbbc67534b9b12485586b6e81e7c0d335bf5093a1bce5dd231a35f611f245f948452e49e2f8a31d5355fc6bbd33c2b145fbb24f589ec9

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe.tmp

MD5 d3676b073e3328364ab5333a7673fed5
SHA1 464c838e0677e6a3126d29ea41ef881c7261fb5f
SHA256 93ebb9037c7c4573d70689bbd4de168abe13841d0ccfbc33be3955cbfbb90e8e
SHA512 2fbf8336b534b5b5ec9894c519ceb1ba3185bd710c4e16cf9f4f2d5c7233c6665676fc2261c82e3c6886baffb1fd1420f0efee1131818679063c1744ce4e7f4b

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 e022781dcbd932c0895cd06367b4af48
SHA1 6838fc56a7c8e8dbe36f3debceb48d4c00e6c961
SHA256 c7875bc31db4c9cbd90e92bb3c16fc60f889a107579d8364ef6f613126d8b735
SHA512 10109d01dac29e37c2d97d951100f1f42cdcf8df82367f93aa086b2db73b08eb187073976372d2e55037f7552c0bd02800a9b5e22b271178b322e7f669edb0a5

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 e95636f3c1962142193defe4cd77f394
SHA1 13aca7fea1a17a9532f0dbcc720ae943b82ce9b1
SHA256 1637060813c5fdfa4993fc93952023a08ea840613bfff539d37401b796beee5b
SHA512 b68909ff255ed443208e5b7c55fbea64821b190a18141f85e75a1a350f5bf7f9e8ef1bffeb926ae34ce596aef737381241b6e6e4e88890aeae52265a12c7787e

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 3dbeffc286f110d73709ccd68e1cc624
SHA1 4ba5f6f47154274fa2061cb5556e551d0e47bfc6
SHA256 b88c24cc19f135590dadfd39a791a94377e4e3c2f1839f5056d0a73c45b6c273
SHA512 5630ec855e9031251ee3c8b6665bca07df35c876e16dce540bc8153520c620ef40cc3d18e4a116d9fc394c610d2ae1d0f2b49270b114220d0df8c7016c811b79

C:\Program Files\7-Zip\7z.dll.tmp

MD5 8ecd503f6ba9d4f6dce256814a1a75a0
SHA1 378edf5c401e4563f6672bdcb4f6d052e9e4dbde
SHA256 05250cabe00f7e12e23c05934d26ba6f9b75f43ee172c050118c3bf1f5c13890
SHA512 b3367b25a2c402f704919536ae7a44f08f0a214bf63454aa7a800254599a431f44c0ef44bc41be8cb99a8428426126889bb1572e975682f7914b7d45c1a2e08c

C:\Program Files\7-Zip\7z.exe.tmp

MD5 873cb37b578faef4054987904fbfd02f
SHA1 abffcf9669b7183c5af64d6f0bef5e501635603c
SHA256 d18e681e80d47f7f14f1d970b75e94fde68ab88cad5ec94f38d133008365766c
SHA512 833403e33cdaf7ce9216e3050f9f7011f0893baa4e8decb1d630b0572da38ba79691de8ae54d421f61531f5f96a208c69a3a99989c29298a4c5be261b8103e01

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 b5928e720ac7c6488138ae0f0fed8481
SHA1 a20b85a0265540b103b10da96b2b97470b3fdbd7
SHA256 643311300a63a052d41386fbb4d63c20e4a532651ce6cf82c4442238efb6fecd
SHA512 add8eccef90a1a4c0b8ba57992822f9252de2551f150faf84d9c4f4af817a5aa779bf882162012c275dfbc99e84add2453db8cecbe606f9551c5ddbc41cd3bb4

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 7f5cfa876fb02b8f98c64d5c96baea11
SHA1 f01d7b9d77568d54873237528607ab1092715878
SHA256 c440fb984334cd0f04bc72ca58b2167973b5fd117883b213d915eb37d0eab7bf
SHA512 ac63576a4740fb96a5caf06d03dc5ef3e8993b87e87a8d4da5fb2d6ca124ddaf5c84a9b2826d13f60264a13b1cfd6d6f438ed62b2aa03be8ef22c32f1830463b

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 0a9f09a35c6f901b44a43aa8fff17601
SHA1 98f53a225efd219eb6c7d18dbb0c146eedfb8701
SHA256 a4972aeb36749e321c802086491cf6517a4b94b934b5c1ffbd7b5e05140436d0
SHA512 122079e94daa426b36553361c46013b48ecc93f23c34abc2924b0eb7a5527152e4a800f50efee2a333a0871c1b2be5132da35a755ad8a3ce2de4b2adb2ec730c

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 d13555ed8a331df97e1a6aacc1b15311
SHA1 030fbb2f9aa81594cd7de36dcdaf773daf7c5775
SHA256 67362203143a08955d02ab8abee0a8f9c25d6f2ecd80ae209db654c06b5d88c2
SHA512 9e098ba037b5a9750338f252397c2077e7a6ff2e6502200f6873812a57641e4e3b0efab23e9ccb2494a7ddf32ea201826a5e3e7ea5cdb509becab1e3ace55d8c

C:\Program Files\7-Zip\History.txt.tmp

MD5 b0a16d06a8a6bb966cbd4b301e2b29d6
SHA1 b42ec68dd1413f9f8097e875da917cb475b79b3d
SHA256 b8be6e3ff8508893b0ad5d89c0510b6975d48c090950d20d8f34a85acc08d0e2
SHA512 28e6ad855664fcad42bf0a2006378c94c88d71dd31c3ed04ff77ece852d275d2c43b20580d4703c1c0e1aeec0b471e5ac0ff739e6da317624405e7f504e12691

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 1defc3c4f5a8fb5e9d59f387fec9e3cf
SHA1 c21bfd24255621da7e301f0f3ad170704e39bda8
SHA256 b5f3a672eff0db0b6ea1c9dc766a4d17cb90ffdf310fc2d046874d7783a5f096
SHA512 82e90920a21763428e81d1545c9a2850c20f09674010ec0077be25d1ccd50917eb87bca2b2b16fe47fa8ebdfc03c11967f457dc5b7554a0007dfdc2d2d53859c

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 9d7b1a14cc8afa1aa7184e5b4d4816d3
SHA1 10c8bb5622836b9d4b4388b02999418ad53d463e
SHA256 c48625d34ea2bb2898a912164854e8b42d9cc2ad3838820624b3aed744bed54a
SHA512 bd881e74ac0d5f7b53d6d05724671ee33e05f666a855447b59624bdad512c535e836c93cfc4abba33d02429ffe113890160dc11bcc01e8008e466bdcb9fe9f96

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 efab867eaf12f397b0f0b29d51d94497
SHA1 deeb6507d68fc63aafb26b577785168f2549927f
SHA256 396fed4c7def0d02a542dffe08d068d4ded2cfd339013d8c65fafbb79fe9b27e
SHA512 e968c457c85070c312c3d873e4593622b5dbdd8e3feda72f74d88a489f00c0c5febec045313af947b62f8447c20aee902fd1838da92cf85761df6e1a0d3687f7

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 9a03caf96da6bc71c60b8b874af6c12d
SHA1 542a5234ea0b3a450bab1cc3123f86a9d6c6651a
SHA256 9427dc9ed10df3fe7a19de1131e7512019177bb030db69272bc99d56196a86b6
SHA512 f49d34b3f33e8c39921cf41c5e9108493c4116fdf41445219d9220dd9260e1ef93e19eb20327a556915754ebc8e3f60942bf85d500ba5d140e2a3ed9244e0b21

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 d7623856756e0273dfbfe872ae6312df
SHA1 b6046de26d4d6770099e3abb4c702307848b13a5
SHA256 1ccea8607cd353873c6609d87aeac77c3e5fe7218e28215539fb7b99535e38b2
SHA512 b02b84f93d73e79902c1ad6a1adfc8c3f3f90222a4935f9dfdb8a82655dcbe7dd70733dcc8d9eb7847fccfc8187b6c05e8b23ac1b66b6786c0bf9977435d36d3

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 272ee1c9279f7631a359e493466fa60c
SHA1 308a51b07be08c032885da12f0855f6619b2f627
SHA256 d20678eca58bfa159b75dff808673d65002776fbcfb65614d1862718444224fe
SHA512 9ef05689e18ff8e80dc74c5ef270d538de65683469b68a9167e41c82ba4bff2ec889a086c2b0f14c76729bd7aac87f5063bfbc801546aab5dd748220c8b6a519

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 748bcf7a2124ed00d9278c6648868ec3
SHA1 224a5a6929fb8889c334179de9056def1be6d8ce
SHA256 3b8e9e83d8352d8157d75ef2bacf13432704bbdc0f4c282fe643ef019782e123
SHA512 6b215672e9ff8c2443401f3e9712923a4291a0fa70a0a1614d32e095c460cd9ce7232481293da2a2f9ad510a0b5d7849f1f21b4e569c8d84bd8b39c65e571b65

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 57438191883e7e7c6e7b11289a781763
SHA1 129dfcb1d7bf0a41a88ad2201b37a66a20c71b3e
SHA256 6f41de875ceeab654a53b88228245b52f23cf9f403afa62285d6be066e236486
SHA512 33ca0d65a8b193a7e3832e38ada95d11044d88db4e7db1169bc83c38c8bcf3647443899cad155848cd69a59e20d745876a30c77d45474815fd40b90d3e202d92

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 a50e6c2ead6dbc7ab0b381c328c13d14
SHA1 f6dd8a099435f74c6f5d4808a3ee1511a68ccfb5
SHA256 07f1a3edd72c2066e6585b15ba6566a2ffef938e96c3a089f6bba4b50770bf35
SHA512 e4b90e4ce69110a4f92cf9db53d44c0d42d98931193e4b99ccefe0491f7670e0a2072c85cd6b5a4a2d21a15e0e9e9b6278e5880c0e5a4e6fd50b4f64e8f9bbae

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 9a3a9a256e500dddb0f68a4915a96439
SHA1 b8cb9f7550f884a312e557aebc1fdc12eeaf3fb1
SHA256 5812e260c37bc60cbe94c9016dad87023f5d6acf285f531a058916a357f45299
SHA512 0d6f3a0136cd52fb4e339aaa9bfeb75bc69d9f9e6d0cb8f5087c5daa88a248f48557399f8d17c078667578a82fdd30220cf8074afbe4b001a8c138cc2eac8ec0

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 b10c52ea22f895abe792416626b620c3
SHA1 e23042efc3f1129c9b693eb8a096e8fccd161207
SHA256 a764550a9645685025473ca242ea24fe225783ee88cb39fc1a918bc8b781bfe7
SHA512 0e3735899a43b78f36c29f2b6a52d93e4a85f589e38fb47e6b61a539ac0d74c304fc304a684b56f573b876547a59a3477170e4e550ee8658152ff487044bb578

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 185e99dbe253bec05ed0fad0a94297db
SHA1 328130a1177bed411015f47c7c15a6f16555350a
SHA256 b773751a68bfadddb6340919f01629229f8bdbb7713b90bf9c2d443e7e02c345
SHA512 2bb674b7ac621b4b23823091687b60cc45e9fadeea8aeb2191bf2e4588659abb774e234d52975ce597de6b4dad0d861f0af77685715a98ee4f708ee2a5ea0e69

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 0cbad950b693be1a1c3f381d2b7f08ab
SHA1 c675bf4a0f54adb27c8c53b190b95dd58ce5637f
SHA256 c8da4ced7097cf11ab4258aa507473208e3bd28219fcd9ec25bc4382175d9756
SHA512 4b01bea5c644e4f84bfd4d2dd0335a64dd02d35ca5b4076b081f14817dbd50faae30ed517ae63df570ebf538f17f869d1c2a407bf81654dc31543910592ccc28

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 077e923b545b42bb7c87ba29c96e2789
SHA1 2d5b1585e46aba2ffeec31aaba13c3857a19d29c
SHA256 a303ac6a0bb3ac468d4d60c9d354637e94b01d9668b3b3cf1636ba64cd7c1b90
SHA512 fd03fd9ba6fe74b7d68eccbde2a8aa294ee61a22525874204b82d41baf6b99eeb433ad88910ba8ba78e75230e6d9d0bb0eb66b3948d4f20a57632fa99749bd04

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 5b7c06c97606b1e09dd3015ff2181c01
SHA1 37be0e42f0e4e9bf6fc5748d253980bcde328bfc
SHA256 ddecd81f405a94c8baf0d15dcb1a125aeca0a1cffda8da1004a452cee3429ff8
SHA512 3f3ba3e0d6d0596887ea3049808b4eb76073dd70c196255c8000a11b256135fed21588bffa338e1740b65ed018167e5e11a8b3953f5b3994fb84bea9e555b76f

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 7bf160dae6fa3ad4c5ac6711b74ba8ff
SHA1 50e2540ba940a65e241bf605162d5d0a9324c14d
SHA256 a64410ec6c3d0497ed6c751c9bc6b5e7a4758cdc09035ffbc3d4996205bf20e5
SHA512 0fe00ccab7de316d8a9e539438818f70d0cfd5e311c1485b9106766bbdb33f36557822c1a7c3d98f33a0ea8eb18d359d5e0c5e67c5252d07354b8ef66f9558dc

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 c41a1566d53061b4971d2859dfd2e11e
SHA1 f7b5f05cfa2efa2091b8b8bbe8f3545d841628a1
SHA256 6404a7f05d99ebca384e712e38cbf822a239f76a4c3cdfbc2d00046ef5f6ca85
SHA512 5195ad276a402625568abcf1a6ff4474cb5fc93dc0c04cb91d23ea23913c0d5de3975a7372e023a5d62843c2c4aa9dcb1fde1cdb07f30072bfed6a38ee5096de

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 543af536053c2f82e9ea1dcfcc28b8b2
SHA1 8e1c67806ceea1acd17ba6426db9274ecb1ad810
SHA256 162ceee5d89fbf79ba2e76336329a1a26dfcc8b6c3f5e07622d5814110bb63af
SHA512 341a51d86896fa7eab41efde58d0cc563ceed570d20c598e0484275274c67e5abfea2f8e0257f01c443814d1414c20c43419f263c14d827e7a5ac183d92be368

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 de1c3a5ad25b2301cf81cf065cc30558
SHA1 3ddf086314b5279ea70a7b28ed10c59d8323a4e8
SHA256 48ffceadd5a14f58478eed9284b610405afcb349b2e189907cd9dc4fbd88838d
SHA512 91d2146f6efd073610bd287f4b0994abb667a2e3bc225bf46ac2d5ec065c0203c32700047d295e634eefb2ed876ffe500b7e4cd807199e4525ae0e7ec59dba9c

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 75d113cbea332aee2237e1fdba875bf3
SHA1 047ac4a0ad58e66aaf4ca1d43e91a4abd6c42cf6
SHA256 f3fcc873bb24bb9b6a8441320278389ccef43b3890ad619b2df7b4f182cc5e6f
SHA512 db749495f42c70c9907f24fc499e81d6e8fc400867fba7545c4d6d3dcf42e9715abcafd39d9e15defcc9be6d87f3e9c64a2e48d0ac213c93c86e35202f7a1bb2

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 83ca3d1b8c9ba83916e73af6324d5212
SHA1 a8f2dec3af25ec0abdbe452835c7f62d38b35a16
SHA256 27e7dfa0616eae9e5acd718691fbe2244ca3e0f2bc6518b09b79c27f1e36bd51
SHA512 b223f82178d15a726b7c361c750f23a89922f42019f8fdb5ff148dbc9b8bce2a30462685e131338f27efe245c99c64295442f84c8dfb711735e6cf1f3d45192b

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 73d734bed31f613b5e65a5d053259539
SHA1 ae09ba934ec5423822f151f35e1131e050b4e9fa
SHA256 bd5794f772bbcb243fa6d92b8901e87f42f4ba5870bbd7cbd17a7ecbeef15c75
SHA512 35634b34f9b7df5497aa9f383359792f304f2d04c8201a689bdf906f16eb3c9a2a7c78238eac7d5dd6b8428467131ad73f6c6aad2f3c154bc61fcd9df34087c1

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 8e3ca09aacb0d702ef57ca4e328c0e45
SHA1 22acff0730f6abf534ed42ad61d54b9a78a803dd
SHA256 920c520d6c73c80200433c2e6f2c8d93db8684be4c08d8e3df7d32591dfa0e06
SHA512 7f2f95a8e93f986cd448cc47f1bfbeba889445afd53d6f576ec66a833828fb6446cefff915c48909389d20dc6012d76675d16e96b56380a9f24abf7e64bb5455

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 d367403a7addae282d736f2e3146705a
SHA1 8d3c19fc0e292a1aa815ba1286b077120233a12d
SHA256 9f64328f1a51392ae83539d803bd0129a5429ae6cae1a4a50b98c4f654fc5251
SHA512 8f3e64e4ca4cade60959207011ee3ebf4526047c70d3fe2cdea6d42247da8a1cdcc6fd53e501af28c286a2c214ed204ae91d944478601a213ab6ec313c9ed6d2

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 b19f847ab5d6244d4e98002cecb36ee4
SHA1 186d83a0cc002c07c251e19b43c05ab9a899edd8
SHA256 70adc83e63d565233e38ea993cdb383dfcbbe9e79ff8fcfdc87b34a6a27a8b14
SHA512 ff7d847a12433207764c0d76aca63002957c34df81eb2a2c40c1367287dc5e055ab4f70a72c100bacd97fb30f94bb0807fe8747a781a3a95de1afcf8ec5fef43

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 5d170525dd094d317004df7d4709679a
SHA1 a0ad087846a4576aab8e23a9532481c9a88d9d62
SHA256 52b3e914f1078be1235f1e13b043f2391019719e3cdfc881c107b164c2d6a368
SHA512 c215652a0cb61da4d6de9b7e956c9457104a201a4a841dfd8ff7c6428f9dbbb39a6fdbd79d601f5d76da3041333ff2a153b359d13861d27f4a7a52d206873d2d

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 b994a20ae14d784de7da5b25cb07edab
SHA1 342699b2e0f4ec2f256436761051a940a3cd6232
SHA256 132239057314a398a6d8148e03c0337535ed770bb43f8924514433ebf8986c25
SHA512 8c7eae6a9ddbccc66193848a58767a08496a665aba2fa37ceb27e2562557ddb97368aea58d9b0ffa5163419bb9027eae22a355608143fcb2cf2269bc762f1d15

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 45d460189726006c5ebbb65ee5846020
SHA1 8062db9d99025927a96a8bf089485fcb9b350b96
SHA256 59baaed1fe45fff9335ebb5f23ca83aabee224c32221825d0c0275570377d74f
SHA512 c0b42426d6e279df472b300fe317eb835b3cc01c221eb4c44aed576fdbf3e568cd4d8f662fc45a6228c2cebbcf820b73f598d02f4f6a0e49e427faf455e428da

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 a423b9045cc8a8846dfda52069d8509e
SHA1 8b2cf6752b6e60b6c8a2dc490d4c4ce2b3674cec
SHA256 dc6f137402448720f4419e4bffb9f52379f92bae7ce51f19fa44f4f5f0b2279c
SHA512 c3c9bc6e78aec91a8360d3edfb9a47bb54ab7a775c06a7e6544132c2835453a71c4f1e0876339b1b6b048024875f46e08a40df529af9a49c65f5ca51c9202c50

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 32f00149c62d91d4911a39edc70fcc4e
SHA1 a072af1706de68d36222ab511da0f44c2923dc53
SHA256 66415a72a59cecaffc7a0b2308b632d9694a7db3eca752b9d06823a1dbbed914
SHA512 55872266e2d87d0a90b13164a923a5a00978f712e43da574c4882895a14c75405c15219c3dfabefa48e3a8f3510ff99589bc360a3d8fc346b850fe7419e57137

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 adf0db79420976384a1d5ffd9be6f96c
SHA1 a702b9367c7bb51d3e1c69c104a06c34c8cdb47d
SHA256 a57afc5660d0422972832cd91d296db193c7c6d73d29f0ba11d78a30cff61fc7
SHA512 09639d16c35d4a56dd57ba6ca2f5892a1fedcf9ed8c12e3d49ae76da5a22c2bd27b4ab342681dd7877ac5c8d7ca7bd9ede16cafd6ff35c21f7904073835bf4c9

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 df139df14239431af2e8f4cbb6055f89
SHA1 dfbbc2796afb47f2fd050981592e6fcab912dca9
SHA256 5ba02eeef65e00e08a56ae5342b3796b03642241b5b4a9fbe136b8382baaaaef
SHA512 35ddec708b24017864f94034388147fd27a3612b0c7eb98267793fce46975915c11c5d0479032a788ba97e329a02dc2eecf2b6adab860e1e1db38616c13f4704

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 881186dbcc90459cf90397715db742a5
SHA1 a16330e1cd4ee1d8a9a548120d7b900108a634a2
SHA256 81ef4b8819fa12a95f11adf3906ca320543723fe6f51d9b9f514d90e332b7687
SHA512 54366edecafaa5dc35a068e114405011e3ad120d6253a3c94c46f35b0f878382315ed9db1286a36717c9f12596e09781202d6a71fa2d0290cee24d723f04052d

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 401be3f5e07bb19e07f88399c92b3e6f
SHA1 36c90af61122beff52849cb55d9101df4be09460
SHA256 1ab77c43c64d403b1bc1b7780f87374794e7b58d2511d352f8f0e70582e60778
SHA512 0537e69a3599aa4c5ea8dadb8463b4a30d21e83983632aa24574e0b7d4788bf576df68cd3f93a99214b5fdc6f5aababd5bb71fd3a65aad7c080125e42f6946e1

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 e7be02214d7b4fa90b13e77b818acf16
SHA1 99ffc3e66f52c9922c1a9b7a6d7cb23b9cb31d39
SHA256 14034ba1727d5ad49216a68dbcf91a757ea0b76b5c450595e83cf7d96c3d027c
SHA512 917579739f27cef77eb824dd8c1782562b6084f015e70951aae1809769e0083be3d7cba2ede3cd8d56b0380bc4cc7980af775d47f4f59911457d77c5ca979084

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 fb41ffc8911ad08ac7e643f2098df9c4
SHA1 7d5c08bcdde0199c5c8f548a82bbc500d8c05d76
SHA256 2d69d211111f2e6b181be6331dd547b774701cd9e733f0954b812501c899578f
SHA512 f073f0707c7719d14b4a52ee8374c24637447e839214482cebad108b813c045dad6fa2f4a50ccbd9aa252068a4b73a063153bba5637a79359f8136a1f7b73637

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 42e85dfdddbf01e80c57c66d65271b2b
SHA1 04a9d19f3942e7487f030b3533153d4e2123422d
SHA256 bc04fa7b01486eb11d7bf4075862e93274c80600639c3efb4f28dd379b4480c9
SHA512 c11e0ebc6fa1e817da4e5f994a777004b3d77bce17dfc9eefd7e068a872163635d79732beaf1b5cea9b5ae3f37e3718f831fd20a94f455a2823aaa186c5d2ee7

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 21ff1d452982cb3739cc6bf5a0010002
SHA1 ec03f81f9588ba1d1a25df93e8219f399ddcc338
SHA256 57c22f04d1ad6c74b08bc5e491b37ee88fc0e9e9dbf56ef168acd4bb1ed138de
SHA512 9f8eb2942fc6d1f99ceb087b961e7ea1f31cd8f60cc1d7d29cc8dc113ea4fa4502edd0b602b87ede76972dd118737aa587cf296ff049e500e8a15202bd01ff6b

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 4a72359552bb5d14116463b3c227dd4f
SHA1 f73885bb85a7ca765729bb8e93f3facbfaf4a654
SHA256 2f4e4935ca6997afda2389937e8675271a2c5f8f510d12120100bf55b9546cf8
SHA512 f326f5b54cb13f0c45ac50385eb5cfd4bdc939f470999b2a47f10c90bc4e1e181ba221bb98794cbc7a513eb01c651a3c4a0a9cbb9ebfd5b3a45cff8259e4135e

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 88271846d78a0a4fd1d14da1dec72231
SHA1 8a66ce07b4b14223733bb2349a5d896119f75eba
SHA256 66a21253dc13b7559c674d89547eda7444219a7d4ee0243997da4476c3c6d585
SHA512 a3bc64dc6ff49bd126e195cb240381287d102fd6380847d273eb380964c7eed6095d29d233ce4291fe2ba5147f55f37f27da24462ba0c4c635563c1931bae27e

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 2b505144f20d227cee06c40572de366a
SHA1 36a35cf8e587bc9aa1abb0e1298e430c89664e1a
SHA256 f49109dc67f4816e195c44ad089fda3b7e37bedccf378b218f2ad398e69dc4f3
SHA512 6ba5656ac1f0315536bd44a36a3c18156508967422f6f906d32f4292600e9843817ac6f265d148b542179a612c01b747a0dee93fd7134ea663eaeef94a428682

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 e42d999f3215a0c57d706db7120dc516
SHA1 cc42c6e47d3bd6e7bd9b54c17f0c5df4f2404581
SHA256 99c48947ff5a8081ff5bb51ae2df1444ec720b394b1855680c2606ae2c83c5ad
SHA512 f7bf85067d40c3e669fe28aaeb62ce424134b832a7b7e00574c832d27de88f023c625d87876168c46d50f6b80b60f8d0f6b1b00ba01652e01cd383459f14884e

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 b92affc2071bfcbb5dc0d962dc6333a4
SHA1 47a041484b94fb4719415e68a2023475b154d1c2
SHA256 7514d709f37f95fc1523cc14e74f6cf5dc09afc9a5af615b7f7acbc1de01a056
SHA512 088e8007a0d940e21396db140393de1a904e2b1477f6c1d60a95fad2a97e20ff19d7991cb00e48ebcc1c4d9cdf22a8650d16e5b51bd0c335d4931844c52401b4

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp

MD5 55f0a13a2b958e7678575f1add75f571
SHA1 6180ec9ca56706c0d564e120123785b3f205024d
SHA256 725bfe515568f1491db2c80c4ec6bf7c3dec5e85f1f92931943de4fec830e3a2
SHA512 487c1f29f628659bf6d4a0d4ba791f39c92221268629a803412ea51d14fc3634db791e60bc7a49a9913e93816f806b301b20e57adc3c71e023ec70cdc4a64fe9