Malware Analysis Report

2025-01-03 08:27

Sample ID 240617-dfs65a1dma
Target 3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe
SHA256 4947d2031b5fc04734f23ced255055e91ef10c5571d110e6689e28f409537212
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4947d2031b5fc04734f23ced255055e91ef10c5571d110e6689e28f409537212

Threat Level: Likely malicious

The file 3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4862) files with added filename extension

Renames multiple (4075) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:57

Reported

2024-06-17 02:59

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe"

Signatures

Renames multiple (4075) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\CheckpointSet.vsx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\Templates\Graph.jtp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montevideo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Gaza.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe

"_Get-VSChannelManifest.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe

MD5 d854b0f2aa47781ddb8a174d9d35b206
SHA1 70feae274736cd18d66e36fae7410cb093cf45bf
SHA256 2e23f9ab53f156907315c9952cce443beb063341fb84670b8b8901c2075a54bf
SHA512 6c0f1ee27f416ad3574d7e79b83e4682e7c5fa0b8a2a2f8e08c9b0d284ad297af1b40b11d0115be31c4d5b1d41339f6f6ff6b28843be5a7b90a6d29cd9d9ee8c

\Windows\SysWOW64\Zombie.exe

MD5 9e1c1243553d048f422ace912520f891
SHA1 0184c089ead7c847cbb1c4ff32609c6a9a166b5e
SHA256 57fb26202c7f1fad90a97aa541c55589a4f68ddb2a7999e243848fe1ac3410bf
SHA512 c8cbe3c9b2998503f8f32a6dba0c34f9f8072f248b5131b4fb3d5d9b1f710524788bfed2fdb700ec067860e7816ec1a9238f9f2634dda16a15b25a53b39d457a

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.tmp

MD5 fbc553e1cdd8e25238765572b81ec57e
SHA1 977f69a36a3f698bc11e2be83eeaf686b15868f4
SHA256 51fc03f6656481f9bab34eaf19483307948bdd6aed69539e1317f526e5ea6cf8
SHA512 06eb432eaf4dede25711f0a24f55c76630d31f21bcf80b3d4a22afaea9813ba0ce8f9254fee709000366287c65ed15bb4af15f1b75e759af1150671cad9c2452

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.exe.tmp

MD5 dce05103f28357d8ca9120e7fd1af100
SHA1 71e9017d1267207a688817f377f1dc023ee96ce8
SHA256 479082d7cdb37a32433281e89eee323b51e6a8b08072f0fc6a7b641f017574a7
SHA512 7322680b291be8def8d51f2c2635fb58e1fb0d24ed46200e7dd9698f7054932f28f227a8eb38fb5e063130059457c1e5c6872f71d0d447cc1294b6e4b28a93c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 fd0acff2a671bb8d06a96401f93d688f
SHA1 d081db320d2c5f5a045da0349a6bebf846079bc7
SHA256 83f44a0d54c2f826e0100feafe76e7be43e5462fcd97e6fa817b10720b5a1752
SHA512 5d6a69f88c4b52131959b33d18e8603cc0a94d506d07806f427e9e33920108d20e6d3ad0a9c0d54169edcf9c476355cdb234f7957422bd6f6f2f1e6bec53ca84

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 310c6f8dc1d82add1a9f3646226b6c90
SHA1 fefe03bab8ed546459e685a4a2937575f5c2150e
SHA256 ec2481c5bf26165855415a08bcd8df84e5fbf6a4da0d18688f550430becc139a
SHA512 035deec4011943299335946f6bf051c6b7123d7cc7224fbbb28d8bf9ae26e58e9707c565e6865e6e32fc6a6331022db32e97e317045d2e6a6742ccbe7fa30f76

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 38e171ec8442d2e737cca79d4f6c9c3d
SHA1 26ff238a42d134d5e97687b9887515e2d6dab139
SHA256 1b1dc3ad0265525762fe4b5ae880472348e12eec2f4c710b113bd355cb1cc17c
SHA512 e64cbab647905f41f7ba5163ff7071336e6fc401c46d906a1ea8af9f49e4545e2c024c56b439c8102ca01477061a8478c0c9f6c5ac9cf00ff832c8e64ced115a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 641286ef5722d249542d54334a267d40
SHA1 e39023388026716401b1ab9bf5602e46b33f9af9
SHA256 9167b8d6d4da49224d6ab8eea22a97a78fd0ba55256f5ce2c2e7b0fdc04f40f1
SHA512 a5491d0f28d2e373bc9cc27345d8941844de75b598935b58a3bd42ca46e1aa54f54a666f949dc55de726ae76f484f46decad744fea5dc24956d14d2536df0d00

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7ab1b4ced55c90adc507990e6ce5c629
SHA1 339597d0c4df96f9a1c6da404767b12fd115bae7
SHA256 83e87b27f7e7d5d692b46f9fbae426c9fb6e62b83d958e5cc391b46f05ce58a8
SHA512 ecb8c110e3df1cf52b889fef6d6fd104d116c1e2db6b68ec9f31c252e03a382e77ad9b4ad32911c4416d55cd3c6eaa7bfe461301c6e0882d8988d49f3c9f5b87

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 cad5dd4c6b3e442150742cfe3a6020f5
SHA1 f47175e8fc56fe686c8b4b6db11548c714698ff2
SHA256 57a6ad93d2c928d3dd7457cac1e807972f01cac99b213f13c4ac120310884f80
SHA512 10aa102ecd8310aef57c300782942a8f71161c1127f808ba3654aee96ecc6fe0c47ef5c62cb325c3aef8a2cd08c6707fb977bcc6570c92f3728f284e752e6ef5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 04d7530119acad2d4263c1549c5e181a
SHA1 b78e5b6847d2d131c71714acd5274d110aa2a62b
SHA256 89a1c768a7eca4996e40569935db272c91bb90cf0ce9f8521a0258a8116bc4b1
SHA512 4fc60cf52c19f52d99f266b0d38b10f042fbb9f97dd0f95c47b2c1f32f4014cdf870e6c3b2da39d4473a2f69febbf009772b545561a928bae702c848efc26407

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 ed06a861b7198124562ce3fef8f69ac4
SHA1 23aa6566d3c585be47fe0c380f732afde911e9a7
SHA256 cc4873ff85ad81b395d3e1d7ca323d3aa443b57c6e5fc77e182a171e9ae42b23
SHA512 04192e427381cec70fccaeaad0b60b7a6bd1e6afd44d724ec988d3b03716ea8a108d5f6bc3e52073416b4cef5c9dbca5a3d8683cd405c2ec33ec89df961fab25

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 38b51f1cdd053bfec7218ecb578641bd
SHA1 a903b0af2ecccfa5221cf4b0a074788369c54108
SHA256 57d74cfe8a5e32c0840059d10610062bf8c97a3fd90d4e3d836bb96efdd70c53
SHA512 3016cfb8bec15dc9e9e8d4b2f72e1e153f6671dfff6163ed6d6da7027e9f37273792ebe19a372fbc7f5141b8d7b49688282bf39a9ab910f8b54685de7a5a35fd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 c66b664a68b428934deacd3d8859c7e1
SHA1 ca1b7218158615641c98b4120f530c6f962be558
SHA256 fcf2359d455d250c24dd8d05c79e60b3fc09f4ab972a9686168c39684f90da7d
SHA512 660def6ae144c24bdff3bfb68fcb15fec3dcd7ff58df9ed67c4d2ed44e20a5695522c5da0480df004fea1b17a45d2e83f530d03fd29df2d2f4b13e6c757e070c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 7c579a88e0c81ad0d4ccee61cb8df903
SHA1 7a27089cbd5a2a27c6a9b0caf6f2e3b052cf93c7
SHA256 711968907eb007e95c285342f1328dac0a304f3e7e2432f6523926253e0259da
SHA512 61b20d58cd8e765ac412a2024bd1e70c475888edbad6898de63cdd66ebc908bae5ec31fe0a1716a4ec1a90cd4f4a6fffc0199872ff23c4b8044b86b488aa59a6

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 eebfa1a69f8e344867f264ec7a949452
SHA1 34facedb61f733c8148b3785562d2fd404d0cd07
SHA256 f690433f04473d18bbc15f063191f69f53257d335f59d4b87cf311198f175bfa
SHA512 9cecbefc0cd5edd517c88113b792ca450199c639ed967323aeddda6aac0340978a9d9380f46187e9ead07e3f43712594065ff535ab41705ac37f7c62d8aa553a

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 f79476d7f696cabf7ed05a0dbe5ee170
SHA1 faf57e9512d03af932616d5644fd73c33b88cf0d
SHA256 70853302ead46a5e6c3c1e9346dec135758121facc8f3c0d9a7fcfb2749e34ef
SHA512 fdf42c663cdb1f9b2b8cd57ec816a4aeaea17391f4232d0a7029e03b790ca48849f6653b104e737037629d3d38e86904f29a7ebd36957fb2531a00986aa8408f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 f63a7ec0a54a87b6640d28c37784423f
SHA1 07a5b1ed86cbdc72a8612361244a8f697f34979f
SHA256 700f6c996daa0b584a241388ccb664fb62f115bf575b76849253570f78f328cc
SHA512 4cc1c310fd0534a4859f01a5b49de7482a195aa3cf82c60b22f61f175415efd9faca9bae96630883a13d636b21d316f7fd3f97c76e4a313726c7876a4e6c0681

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 21169fcabc6a49c437cb4100dc5b2e0b
SHA1 0791b883bb51b36c9ed3349e2aad834356e0088b
SHA256 0e26cd1af868006aee675c1c7ea2904f7448c6d416751c1d924489e19b7ffb8b
SHA512 e130177e5f534e8b28ad4e6c446d16bab240786324a00cce8fd4a49fdfa771b161e0c05471713050f415b5016ee4c3814bf3e3db9dbae0973674f79d125a3b00

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 a82f0c14b057e7488d361980a29220cc
SHA1 db442f97a5c7ac811510f6ab04fb7357cf3b8eed
SHA256 8f4f20cfe93db90a0a937322255938af7969de2603266a2917d77440b19af42e
SHA512 aceb494a58dc15409dcd8f11a7ca38d3711f999f889359f52b1406176a274f4202eddf76d2d06acc67ef2a2720aec782e7145f1efd5d71c7cd7c094f0db6548f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 a47aa24fded7d6fb16fd8f715b034229
SHA1 6c88c2c6516cd7a60bcaa5e2203c91bfecd6f97b
SHA256 7d485d946950da1584a10b86d234e4b3e7bf97043913be1e08ef3683304875db
SHA512 0ea8170f5145c78f66845d4828f79fe7378b53014204d621d14433f5ad0bfba006d06af2c82e6917b86b8415a9653ab8c979aa970c503697cc4643e26533d879

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 7a978ab3d20d8a359939369724bfd716
SHA1 0d31c0b52ac6632e0df132ec826d95df4122005e
SHA256 b811d276a2a89fa756e7b38f7eb9b142197f31ccd4424346de3c4c735a8f85b0
SHA512 02cf6a29afdb4e29e2d943ab6c595f47fa7d09f452fbbfd6a9cbfdae14312a1756f144bbdc6096d9c4b05832e77f4065964a19c8c1bd9bff0a6c5457c56eb4d2

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 c9d45d7650b58de37629c1008b6a284c
SHA1 42a5472ee32ee264bc96b55cd48be104d51969e6
SHA256 f9e9e4038fff477def9bf66da2ac8acff398c5da59e76fb1ede4e6930cc53ebc
SHA512 153904a0c631b1f9f35d571f81c7b0f613c11ef6aacfe35abd7fd45df143abb82ef7063b96c8c77040c640e49d43428c8fabe94716e980e0e8cc7c2fe539d948

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 4550f2a525ac177333f1814535d5eb93
SHA1 a54d505c9e60d9178bf2350cccacb2d5d91a4a45
SHA256 828a5c3e2bf6def0c899467996544b25e9202dbeb8ecc91596efc5a927a61151
SHA512 ce483083a25de2b1f81dec6732e3fe7591b805023a7892e22b3af26a4cc8ec09a87672de35b7559f7ddf9f1d21664d15fed345ef53ec4962b40507fa62e5866c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 84690c3299c7917e62db4727c1cfbc74
SHA1 00648d4a40c31191675e2a35538850d918bcc18f
SHA256 7b9f2addd239616bd199a3012bdacdc3c21e7fd089767e5279dbe0a07a840f96
SHA512 33d04188edd703191f2becfb102e564def1aace3e1023eaedb1edfd380902ba7453250f9f34830da4e25d1a56b2231c85ba7d9068eab279024d3b22ea7046c80

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 afdb9a3e0b15fec64e6aa4990808ceb0
SHA1 353f01289fbdcbda958f03da32cf1ec7af917841
SHA256 bf5f9ceaff8d099bf47e836a212092ec1772933534d9893947aba3785e54d918
SHA512 7933a29995815808f994cdcecbc2008de5b9b161982a2dd3332fdaff6e5f914ede78100bfaf8f4fdaa308786c8a57b17d7d48bd919df842d074fb68ea764aed8

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 be377f82e63cd0c77fc4df2ddf7e57d3
SHA1 5dab8b6bc63de1fe06c56daeb26e55a55e318faf
SHA256 fc4716ea90707663f97e95a9c4102492a9abd1f636c1970116ace0fe221071e0
SHA512 0d278687ed9f4f8a41f3e69d29ba57e221ac104c2a8431290eb8650143302b1d0cc52252d80c3372c70a2fced15ce9715c3dfddea90afa4c5c864403a357d617

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 1dff899a1a82f18e3a7be5097dbaa470
SHA1 79be9e73f8ceae323ba4cf5c258210c4e117e39c
SHA256 9c1457fc0ec3e3f7aaafca5818e0a6caf6e12f75e69f9525305acba3b48c3242
SHA512 8c01cc4a310b7052c0f675703c3a6ed5e5ff2f0fbd3ee5302264bfcce0268d2d97d5f0ed535d25ffb4149664fcc4ad584409666b982f6ad49ceed4090185654b

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 257cb121bc4bfe69b804db6fca246ca9
SHA1 62da75d85476aedf66cda1fd0c774260f9fbd12a
SHA256 472a105453f0ec131e6e70fbd49585e2578a277bb53e38b721b1d1b99b360075
SHA512 d9a12445d66f0e090306cbd5b81f6f9fc36e91d729596ff9162cde06dfe490aecc10e7ed9496335824acab5f9723624e2b5d74604cf96d284b235485c15241a1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 3890f4433737d865069d52a6bdac64eb
SHA1 d9976e2190e5a6b79f80881a13baadf4b4aec97a
SHA256 b921ecfa0d3757d398c2c12096ffc475837691e139247d3709b1c1464e763748
SHA512 aa37ebd66d5cf16e7bf2fa8c209f80d33c0faecc70de7f7a2b6e10444b77896012e298224a469918ce70a29edd93368be5751807dfba8ea04627b477eb9effa7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 5fba1e0bde5687883943c0d71ff70216
SHA1 7d0127bc0f79891b26e632c1443042f38b792b1c
SHA256 cb7b695b4beddb3c9be2b39488a26d802c24f4b0637b30be48b039624e5cc952
SHA512 23cca05ebc82ddd57a8768875f1c852b15da7c5fe97c4fa3afe6505c0898fe149b27d5b92df2471be53c78ccf8bbc58e26b30f9e28e095c10ca39283918d0bb7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 9468d8186c3766ed296fe1522e6274fc
SHA1 935c989ab153164b823aea60c8d5856b469061ec
SHA256 be57d269c774f376a015e8e3ca23cd17d9d439c5ea61bf8fe6e22952570be1fd
SHA512 5f6e5f2bc529c774f8c9aa1a309260394ea332abdae82bc1bdcf20e388d16fb2a226196d29e4dcb7c2f5775f83b61a9150a5973d710aad457fc605161db11cb9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 206bd1e49a45820eb1c92d4ec0bbd7aa
SHA1 71acbdd6b88b6ec23202d82188602a6d2630a8bc
SHA256 8bbfde8d6aa954d157b218cb9625d680cadcc43ede2a6cd38431b0e4b0a1540f
SHA512 5de2ea1de1ef159737d3ba498bebbb10140caa4619f5a9ccfef48cfcbc225baabde54b17af6e6a8ef7ad9a0a16f68b0f1960bf2d6b1c46ce72bacad744fbf76e

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 e8380517fc9961839ce122fa625f6236
SHA1 f1924624e7a2497e1be1d61afb4f0fa3858a944e
SHA256 82b9d40d030981ae17770d069ff42a3921e6f1e4b41a709e1ece3d858d56fa60
SHA512 3fe37f750d9da3d22e1ed3f64ac6dd942add0fc44ebed4c1e9c7a4bc3fc3f5519e0960943f2f3b29b1062eb5b2cc1b51b2ccfaf9a72cd86db2d1eea18fc07662

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 64419d3af9b687a87dfa3b388efb779c
SHA1 a2e11c201cf1ccc385d25f094ea310963f725b09
SHA256 9f895ccd9e3cd32ec75bf489eb3b9c69b9a71aa40a2ee7b82554073185b51258
SHA512 fe5188bebcf4386bf721ee69f5a345c1138b197adb7c0d9b193651338abbcd4a89bf855e37469a5f70d8dbd3bbda8a727a4a81adceef4a96d10e732c0d037963

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 ee9dc77d37824d7003223f803d9e2e0c
SHA1 9ceb12de442d54c0c62953d5cf15151cb43d7a0e
SHA256 92ff7b5b4eb3b444d0fc36c791c26edc85e9afec88df1cccb65ace955a4a3ae5
SHA512 e8c77e05eca6491200f0ec3da47e85045a388378ae6d85e4553adf4b34cdf0c9930da124246355ae590f690b06e0d2cf7e603ed5c6d33314cd48ff12e401efbc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 e4375dcb39682ced43784733519ccb1a
SHA1 21c89ff7fad9575a77ce6725fd974311c56939d5
SHA256 09aaed967844fce8a5bbb72bd350c397b6b67db740db24e3fe4422dfdd4cf72f
SHA512 2e077405db9aa5aba59fb51410a1eb5dedd69f88cd291741675cdd2c2d34b911c7ba35c4124f763439ba0e859fcddc8eff9dabf960e07b93bc93f118e24c2f67

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 9b6e811ec747b66bdbed276a72fc9b70
SHA1 8f3a413de5bddf5bedddd77044c18c63bce5b640
SHA256 4c9d11635008a95f83f2169dcb6803f15b4e07e52b002b5cf33332e7172bdcc7
SHA512 4ba83269d940ee9cb61b029c46474813a42a9c33a6c9233d5ff32d19fbc6117a9063f6ce09d1f1fb1cd5803cf85f77570b646c52fc31161d79421739065a2753

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 c9601c104627400fe95cb1e659191470
SHA1 6bd20131514ccfadbb3d19bed88d678f21eb7aaf
SHA256 11b50e67280fd60a489c8ed0bcb45d6459404593509bfba1e50295da0c8cd63d
SHA512 4d22e0796842ca90f993a5b6ddfaa3f0719b515ce259cd0cd9d74f78565d0a3083e5e7f688753236a6d49345afd9ba67dd58a4ba9bb8cf5a932b40c1c53dc233

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 a5ea878656d55385b16956786878d754
SHA1 205f86a47ad7131a769e9ed5519187508caca705
SHA256 64bf66f55710d2b17ea27a09107b28d887a72dd4c2ff2295765eb9d6ab1db2d4
SHA512 3ff6d4cce3764282b17005abe4ec7a8b399d0f33193918736b8ce4a101995cf76b9d381a534b9ba19f386b34a02aa9a48f3f6e15dd34344a5784f40c5ff537e2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 a8f71bf24a1dd10c042cf6f5e3d926af
SHA1 dfe5bcd88d4e993f051b32f558e34e8c1a7bbb3e
SHA256 f35b198ef9ce78b522e0e59b1e1971fa0485702ec23548b4beddd1915dca9830
SHA512 be49191d8335c0013a76e46b52766f61d7d162cab863231df024498eb588f8244c8019d862947a78c1844013dd1f58f16fa4166a5b14d4985d75afa4aaadfd9c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 9651b3e9ededdc5c9c3756d5c869897d
SHA1 ed10f5370adb66f1f6908940c72406d42d95f1a5
SHA256 f4a138b9ee8237b12f1ccf268037d1e0f24867cdfff9e808bb6cdbf2cc677a18
SHA512 feb2a6f8e4d9ad5b300f83058f684dd82b91de2b7f90c9905065f66c774817927cb5869383413187fc7c3578574acf42a42f1c8d8e446887cc47743b46cf588a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 05880f0a2db6eb8e38a10a7399f0b2dd
SHA1 faf96ddc64de60a017c3671eee0e1049f0a819b8
SHA256 d70db26578ce7f9c60d6181b3d484a169dcf7b19add6970ebf0e2bc868eef1bf
SHA512 cf260675bde401b40f7d9077666f53372007dfe8d2fe6efe4722c66e52093b45bae67b9f0c594895db1dc763e2a8f0476772ce6def90629e2f91f11f5630c438

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 a52269041bf0c9d0e3f2d86eac440f1e
SHA1 166009c5bbcc16b2691f551bfe910087a1d0a777
SHA256 2e63ed57ef12474f408de9d35f2477a60e74bf54c30af272e2bc01085e1eb682
SHA512 5c2ef61896a36aaed6077a0d5276460764ef5c8359e17a69fcd816f65496d92c450afa853a5e07776aabcd5136c09ce381e30dc7aec26f65a37bd7df5c844302

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 c3d6d4706b4c39690a8ff9b266acb72b
SHA1 520a4d94c0f681f441224c86299ebf1c65ba25bb
SHA256 6a5d7364c36163327d3863d10e144dd6380c42c201fb6c7edf819b22971833c8
SHA512 5623580e03708af4b0dfe2e788f18fc34f44d76526a71c8339e808562010e45cd90db6e63d89365a579a5c205c6f21d2694f398a94651303f8fee7fc8db583e2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 7ac17f493b44114c0016836bb41d5d8d
SHA1 6759a22bae350c5c1407489dd0fe65cfcdcccb15
SHA256 849127689fff3dda4e114aaa8ca86ae72940c64e72f3d86630fb5c39ba10c928
SHA512 432f5f16b65be5a9c6f51dd1d2bcd84ed3b4fca6d3590e2a497d61fecd15991ed14d085a5de24ffafd1604214c74243fced075a54d082d4fa4fee5ca766571cd

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 160339c09e5d91e88e009eb26701c554
SHA1 c062a9d29595bf69671adc4c623ed7c37b34aa37
SHA256 7363b163f2522a60bab6c63cdad6e029b71fc3441e0185124ecc400ad16e53aa
SHA512 3ac82179214103f297de12fe5368e0db81d7411641a5c7844e0e194fcfbbe7dae65f7390aa04405feb7388ef2a46006ce437f48b9c70750f60c0f037cd2fa261

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 bb92c829ae3adc9491458e80556d994a
SHA1 5e9d2ec397f37ac8c41cc7fe5b16303577802f4e
SHA256 6eb472c9d7ab0ebb91c0c6261836b13c565b5842c93042c2417f8a81c30e648f
SHA512 bf12c8134ad1d502ffb01db54a03462f6195a1bb57b9f9915413cf6d400623b9dfef5f58aec1d423ac550e0f0bf0cfaebc901d7b848699ed00ed26f5c8ad543e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 6b3da7d6918937552adcf34e800075e3
SHA1 0bac61d7793002ecd326913faa33eaf7974b68dd
SHA256 ae7eee7ab98805190ce44084a31f94e3c9d3ca6fee59cff5be13a8d8744a6e7b
SHA512 fc314ceb5552878e8c76dca45c5c625c43fcb46546470f0a0c62c569294c1bce7a523fdcaaaae14c7f617f6d3b075ccb110d11a19915e3d55322632457655e4c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 12be9bef53df59e4ea6d6ee4fffe46c3
SHA1 9e7ade499a664e97c99685bfb91014fa9c68d8dd
SHA256 1bc9b36015034d507f1166f6996e9dea5b372060a89460766e466b34da3502b8
SHA512 606b591ca3e75c6c03e0700d79f2feb48b6e189dd771d8e3086c6f8c731d0ecde74e1fdfbe87f1e91e3062dd7536a9e4294ff1f79df866fbc7d356ef35a68d0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 93d732d22cf9e3a95cf517181f0ebe86
SHA1 cd982269d439d2c81f0ff1474cfd9408a8652cf9
SHA256 c83c747fb5c738950959265f29078cbf56f63d0a9dff734e49a001e02ce65d65
SHA512 093ce900cd2af5c0d839137e92560edd21c0024642c6fd5514b35f0273d8ddae3092959345faeb6c45d467e668b34c9d027c9f63e9114946bf9a58d2f03133ba

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 82ae0a2f718fb0467d6a1bebbcbc755d
SHA1 67a16cf7717f1e119abf0abc92347afec61671b4
SHA256 8080479401350b1658c61c8e94f03bf45d09045b7a0c0a6fc8955b344fb0b026
SHA512 9c4d5a05bc183ad9442808115cf3060777078b6988285b04f3fa9973f94cc1f5a5c07d32003dbc02548d6464252e62dd82db432ffc87edab3512864cd6584c82

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 ef66f0818d47f0e7fb98e271e46fd65b
SHA1 eec15dbab20bd19872ce54adde4414f3edb5fbfe
SHA256 2ed6d2363def0486d2289c56ea388ee9661050edb072d818b3b15e4eae16bf70
SHA512 c2ff3460ea02eb9f365fdaeb7f2656fdfc00355d092d0cc9aad7c846b1d5f6d0fa36ab0e3c5970a7e77a0fc600863c067a55eea4ae0d3b53fcb785ec3b374909

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 1ace6af9f1aabeade10e0940e571c1e1
SHA1 42c64f55c1ab50e6082355d221dd9663d019bc59
SHA256 3f1b9a62b74a510578062d1e5bb257cc1636d060b379e3482c2233e50391ed6f
SHA512 2a6966edfb3fa54d6d19b6a09223c641d0303e125b2d085c5e37bacae062fa996a313f87874c3c990ce7b0410f3971c63b6192742f6767d448cd149a44d4ede3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:57

Reported

2024-06-17 03:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe"

Signatures

Renames multiple (4862) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sv.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b06ca19cc626a91f6761c83cbbd7790_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe

"_Get-VSChannelManifest.ps1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 9e1c1243553d048f422ace912520f891
SHA1 0184c089ead7c847cbb1c4ff32609c6a9a166b5e
SHA256 57fb26202c7f1fad90a97aa541c55589a4f68ddb2a7999e243848fe1ac3410bf
SHA512 c8cbe3c9b2998503f8f32a6dba0c34f9f8072f248b5131b4fb3d5d9b1f710524788bfed2fdb700ec067860e7816ec1a9238f9f2634dda16a15b25a53b39d457a

C:\Users\Admin\AppData\Local\Temp\_Get-VSChannelManifest.ps1.exe

MD5 d854b0f2aa47781ddb8a174d9d35b206
SHA1 70feae274736cd18d66e36fae7410cb093cf45bf
SHA256 2e23f9ab53f156907315c9952cce443beb063341fb84670b8b8901c2075a54bf
SHA512 6c0f1ee27f416ad3574d7e79b83e4682e7c5fa0b8a2a2f8e08c9b0d284ad297af1b40b11d0115be31c4d5b1d41339f6f6ff6b28843be5a7b90a6d29cd9d9ee8c

C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\desktop.ini.tmp

MD5 b6c39070fc527633f23d858d0b5a14fe
SHA1 27326042d41330ae27a54b70e5f83e1cc008c35d
SHA256 f2786b1282a52da23b4a54aaa40108b8a99e8293dec5f9b114470f15162e187e
SHA512 c259dc5d46d172113372bc9f25f4e9dfe16ceae544a6053f18d703aae464e280d37ccb79109b0ca02ef41635198d57d69bb5d0b34f8df35ee0517616dc4eef6e

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 7de6436b034819e462cce36ba21fdc06
SHA1 5d8b890e66f5d5d2c63456b266b159c69b7df482
SHA256 7158d6cf66ac8644ed2ddf817f803bc4a1352c7ff54119e69f5a904dd675fde7
SHA512 1ebe6f49b8454e2f5f7b0b8c556f4df3e44000c5fff171bd6c31b9dd5542920264231159a3c2c6b8713c43f24dc01ecc5fb9273142ead1e0c1d56fdeaf6483b7

C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\desktop.ini.exe.tmp

MD5 8310748aad5331b72b56ba666cbfc0ad
SHA1 0f6256c5b2ed765b23740e788f198f929f0690f9
SHA256 3fa4bf3c3176965eef6286766551aff836cb76c6e10e7c63cf1612aba817161b
SHA512 97b69870836ee52127a7071612e28894500ad83de705a81fd313dd89c2ee789f328ae3e444fe78598d659f8dd5981474eadba731ebf3c46a0a5ba340d19b8f2b

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 5d33d41ddf97c05c141d1aee125bd88a
SHA1 580d9c75dc0a4e91f256783f0780c0efeb294c2f
SHA256 0598e8aebf890b20b6db4acc2245e791820ad120c5e382741cd0c5fe995c07f8
SHA512 8cf0408720b8ae9eb88e614a983e490354a5b92b3eadb958024f299286e814a159e7cadd1271f4bebeaaaf5717108879e3498fbcafc39381be5f01b0c4e1d36d

C:\Program Files\7-Zip\7z.dll.tmp

MD5 874ba468740e72927e50e9ea1a7ac376
SHA1 1d941ab07ad3a7399106f25e9e3ed7c89eeb738d
SHA256 34691fa8aa9bba4fe7c53538f87f9e4254b4d8dca1a785c1908695186fd6fc94
SHA512 e148a035369bdde9f71787a8fccfb7c3cbcfcb93d6d996a68e33cbfda93d4f50bbfa4592b0efcd33190f6308b6a2cbaadda7400eb51c8906306ac14e5957b73c

C:\Program Files\7-Zip\7z.exe

MD5 83e19b940f6e33ad44d6194bcd30a0ef
SHA1 ce932108297a9a7fbdccfbf08b3baa2496f2abd3
SHA256 174da1cd78376a01bc22f0af4ab63806e9797c8b1d12ccc894ff85257efd07cc
SHA512 5634baed5e038435ab720c9272bb231ef4831c75ef8925dd5a8499c29e1e4928111d803753167e57191ef9416faedb8d5cdc37654cb98e53b9b657ab8610517b

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 cd202670ff664c283e7581fea8a8ff73
SHA1 7e43fe8d070d543ecd81adef1868114eb7886a3b
SHA256 0cea8c6c47c9a62d075c3cc43aedf15307fe1f6c347a3fefe02d7d67c6bb87ee
SHA512 f2f637661cf00538e1f9e04a6d520e4b70d910cc0832988dcaef275c00fdff25e2e2e3dde5f68515349836dc967cc48933c9c6c8634dd089b522c4624e4a9738

C:\Program Files\7-Zip\7zG.exe

MD5 ec147740fc296f8cfc0f1b36260d106d
SHA1 778b9f4eccf4b9bbed98fa813a2704a8533d6826
SHA256 1e2398ee3a644643b52f9cefb65fa2d6a0e98fd2e76120c338b43f53d6dfd140
SHA512 0480daf89136505e5057836a3625083b1a2af9f8378923475dd5a7123d99828379f7739f9c327f1d2a60562be97763f8bd512ba4b8050d41ff04c009516f8c3e

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 8c26d4e70333e3fe7b0ecd1500697ea5
SHA1 4f19cb70b4ec1d693edf590897be19471161b6d9
SHA256 efbbb7bdb8801e44bb9170d0dae0b1102340e8d04cec0c6eeac1b17938d6a248
SHA512 5b0ea8bae007963780b655b182857dc943401e44f7d18e68a8e7f6d858f51e77a9ce211e30cc2abe345acf416e807d41953ecc4e20afde5b77401b0ba5891bef

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 e191b49412047a3591b81e25af1972f9
SHA1 a778afe9c289a65c3101263b3c1b7bf418b37e39
SHA256 bf50d714ee83c74b6b79439a1fb85f965b1a70a2b0659c1c133b53b479c7431a
SHA512 b078eabfc021e08eab6b29bd3370b4d0d5d95d6363401638ad215d0d1065e2fc41dab39f8845fa7fa0914b55d319f1adb0b4ba5fe316ecd3b94de6a1094bd462

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 d67efdbab8698171b8663564a56062e0
SHA1 765088a0144cb5a5dc7e906918816166b8e753b3
SHA256 f5e7478eef5f61595152f7185fc6f41e273fbc29446ca7970e115421647c2005
SHA512 3e9e1a747e3da8dc8b0e44ff51ae3eea8e9703e7e75f7f9f673776beeeb0e5a26197be0f25b2a4a2411e8c8011d375f7f2ef10ba0dafb83b6338d77e0df7535f

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 d56375e71b883cb63c9d7f8629f8474d
SHA1 d64d72d60697dc59bee153d0d3bfc1128d9988ad
SHA256 138dfe1b2c6e45b10b7580180e9f9063c981c9c25625699312ccaf0ea4c3888f
SHA512 d59a3ae49c0460bb4266517bf46f26abe4f36ee770691181075473c5bfb5213f7440e9537256a0c989acc05d50f307cf73e6c527e5e78936e0be963ac9efaf69

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 c8d7707109606137adcb5c55914f9bb5
SHA1 e0b0871e14f8a5e60a345cff8abe466b3befc10a
SHA256 1d851d8cacd1640b54137a85a23ee61ecb2945a3a6f5ad94d182e1c6a7ddbda2
SHA512 0506692cd18c9c5f9febbc0c79c5780c0f07c2297d4b3baac0f180ae9156438d87d659d73244e9ab9af10c3120f4687707651dd546a486bced35313b8f14c351

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 d5aa10a073b932ad0c8a1c490d7aeb04
SHA1 dc4454d67741f2f72c815b204d7f52e872014079
SHA256 842a3df85f8614d36e9046e900d5a9e012cdad153919cef9f0b1efb64679c839
SHA512 28d244a16a7a0b5cf2cce2f2920eac70c51da4d25d9aa3e7833f860cf02949e23419a7654deb1fee47e68bc1ba353b6d3ea935c170379b5a6057eb3a424ac7a2

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 d0340bc8ca61d53ac7a62507b65053cc
SHA1 15f3a95c9a33b24a682b9e72a14762f0407f5f45
SHA256 d4d9ca426dddc8c431d78487dbca6fda235a7e7e760e5ee9c8a1a70051059e61
SHA512 562afbf64035c13c2e28f348ab10459d9514263b6949fe0d7722c1f591cea542f99fdc19be11ea494a3d2fe2cea2c0cec2d2752473b3fcd1573541403c86c71e

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 e0de616ff8e7d9361441edc93ce944b9
SHA1 aa058ac5d3666a218457a49dd39ad46c2218a137
SHA256 b73c66c3edd2b09beecc191058c2cadfae0f3e3dc0a43212879efc555b929b34
SHA512 8b755058527e50995ab17636dd1feb80959edec75824be3a6ca24a127bc5e9778fb8d4ec60e5ed667832f53730f989566c9eea5fcb7308ad086459373d93b35e

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 7f5100b65f36689a4099a0558ecee030
SHA1 8f68f331a42997af5801d2b357bb4dee3bf751cd
SHA256 369c64a77f47c72d67bc3067fffb9080a508df7ca4d9d3c91de82728aca8d584
SHA512 f4d69ae97706060efa670f65bdb710195a5050e3ffffc61b4470147137d66d1f42969db10b5ee2cf92744c407d78049a195b544cf25af844104b19d43baa05e8

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 416ba68f454c08ea725228eb3276b2fb
SHA1 d87d4ff86ac046c920b5a3e4b84ef34140e3c245
SHA256 a33ad96a146c7ff92113a125122aac37f56a8b84db2b5ed8956db4830fb94ae4
SHA512 84cc45cba763b2b1e00bc824122d02575dd98a78b6503db0810d8d2d8890a8e12d5994dbe60952b23d7a3cc9c91f53024d5d96cad922643b43f2ea9f71c6ffd7

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 fb8b385eb1951b77329e165354abd996
SHA1 3622acdd3e6642021f8db7da4f127c851c3e7587
SHA256 6fa12576989719f28df14ed93051a8a665224e25a8915e6cdd8cb151ec902936
SHA512 d885609afb2181130ce9efa21dc3ebf547c2763a10eeb42a63beb3caf05c0a066b15cb96fffd1d9694cc3e707f705ea07348cd64d46f19a2ea6c35932e94c8c0

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 c2f67cd7089e6776a7b73af6ab997bce
SHA1 51f6c139f3bcf2602dd7af209f73b2ec28d04a87
SHA256 41c9ea757dda76760f351addddb179a1a44a7825a59c2479245f36094ab0d80c
SHA512 e4e00b4de3fa308898f387c6bdb3fe5519ce8f961d6d17a892dd4e6346c71a99c5ddeaeb9a388d22e029d470e3cf6f13b0370147af9559e15833214601423378

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 58b7d532196f0c9fd151ffbf7d95466b
SHA1 b1b69b1106c4873e8b9cc07722346ae90d47b657
SHA256 b83b34bbcd6ac0cb9090fb828bd9cecc7cc0968d188f4b648cfff2ee1ad56ee1
SHA512 6816a1cd05e1511ee471e8491f9319dd1a3fd0e1f2e636ca441af696b31e55824c81f8051170b81a6e2aa585c32e02cbe6cbcb3f8083bd18c109066eee3d7c79

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 0b2942f2cfd4fa4f2b93979911173257
SHA1 e5e66199efe9f9b8d5ee8e115e1d90800101e3a0
SHA256 b5c4ce61329ce5379b2a07cbd5d11b06c6b648ec3f1beadc1964b6ba6f9dba52
SHA512 b06ad986f4331c293c5c0fc4511431d5e5238f4519c7ded37643fec387a4c0ab42b4ca416b4c49de60070e6b86b13d7aeed41e5fe071758d5e31b11d06c9bc48

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 fd2dbae118feba28caf8c739324198aa
SHA1 225a54b2836a990c971f5d2a454b4db1c8d084fb
SHA256 027852153a5f8039197149ca80b4377a448731c358a0f1147ac64e69487de72b
SHA512 d8f67bc3277afe4430a5a94dd62ddd535c340d5100fd4075b0434280b0b552fc086824732630099a4e977a3e70aa94a464a9f5024f243fb4afef964c39a2bede

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 c98a0da95e82620e9b31bb79e65fb789
SHA1 f95f6a79a5db5d1c031691171405d05de4633008
SHA256 31e75a9eb8f2ff31b2457e6fe207e0fe5a442783b20a21970f36dee258ebc185
SHA512 a0f94544c531f298ac863e5f6d0aa899b44537116beb8c9eeef4c917fcffa78ba234cf7d0e1df21fe8ff62eae770bb1f05856d7e360eaead2ba15e824cbb6d40

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 d6d65ecd2843e3382cdec8cc4241e641
SHA1 a1c639f5cc86c2a0f643c2fe94f1d25141da6157
SHA256 4bbd16b7a5fe2dfc04fc448bf35894264a7ad290ad72507c656fe334e3e36b18
SHA512 7b2d0b15e09f5bd6b1dbf2b51c05acad1203dd7303b3d30e40755f51ec1c2fcef673769fba2daf08e4056dad6da43665c58e6b311a910e0d804820bb09bf7291

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 95470f1af1e7832bab193de9926e85a0
SHA1 42253d0b3b82e139f44777f8725e8b014e2f09d8
SHA256 b85ab07daf023f612c9cc772294e5d072d7aecf8c91f1631b514b3a90f688650
SHA512 5c0a7a3b74942508697348accac61a823ad3d9e0e54508a6faa27556598095bf650403202493e1901e6f748bf70479ceadcc8bddb1260360055a2df168f997a7

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 b0958de26edbb3d6f0be672c1be0e6f8
SHA1 675bd36416f46727df406a59250606abcd09b837
SHA256 4cbe8c5b820e3a4033cb6e0eb24268dc71cea55143bc639fcb16921a20c64b7a
SHA512 90ae498ebf1794d7f32f89ea792d171e49f397464af4eb28fe5ab8eae89059d836c63aac87d7eeaebaeb867a48aae021eea004b17e77a18ce38ef3087c4c3cb8

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 343b9604e2d05a9f46be031443ea06be
SHA1 2346a6725bfe50f018f394d54d0d8044f42b7e13
SHA256 2ac9388c5133c01922e9b1f88b9ec4231f50126d45d5fe11c1ae310af9d03d9e
SHA512 5cc63548b702e606859003ff2b97d30d70a88d2c731888a5ce1b48f10d26a0537215111e5eb0a1b7944275198d41ce6f73899181cd54c87a044edb6dfcee2a38

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 25d7d11d6df74d7e003542fbf2dc1dab
SHA1 97f1be2b71dd552ad9615fd4c09cdbe28f1db502
SHA256 d428bf54d7c83330acc89229cc3b1641a0466c36b87747dc9239aec410151d82
SHA512 775bd63a8366e470c14282c8ab8c46451f03a8d4c648d31593f29c9ce15cf982ddc623bf5d72a0eb458127a9b36346c3ef37b3b33fecb225ed3b945026133df1

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 61576433a6834f9dbe7cd9cd068f2680
SHA1 f281edf81724b99b62b8267dad2569f3f44129f1
SHA256 57688f4a23fec02bdefe63b1f6151d29cad6a1f68d8b02a5bd405e3596b79a7a
SHA512 1a9e9523e207cfa6b99527526caccf1cecc7ae0aa8d3e2b61401ddc9f18e7f955f272df076caf38e1837b14ccb86ade79908f411d7fe195e8786cfc8287c446b

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 98f6262cf5b53f5f99f88ca3221e0e1f
SHA1 ea021c8677508d4ad1f686b718aaba2e791365ad
SHA256 02a50999fb3b83871b5f4b6d0da0ff54871c055bed16163c9d06c0bd8c874187
SHA512 22f7671c8062a0704f4b8942218c3c3243bcc408f8bb8ef7a7d7c3ae18c1aa03fb6239d86922239aa6d9b2c8a2bb54fc861fee440e5888b95bd4d848a5d2811b

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 4a21d225460f6124b80dfc91680ac792
SHA1 44a6e2f42043aed8d156c57eed1de9eb9a2bb3cb
SHA256 bdde790c56322d08882217418285a7e9e7774e6673a2199d949527c708bfd201
SHA512 ccb9dd309b005c4cba5e2cc317c90c309f02a5ad253e91ea498a2e4f090498e7fd1807a71e2cce2b79684f04ffb062d6be4570fb6994e980ff6885f320c46e9c

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 f28a3039711ca7bf0f1957a64ee6cfc3
SHA1 70ac2da33a790e9188347d991560acd7c1b53b50
SHA256 90483b6196a5f86955b87e25d39e748f58974bdb1413792c0e2920a823281e08
SHA512 87d1bd7e81a3ebdbdf6a8953ef4a5c9d70c73c257ede0ba8009cd8b0bc6f6f5bf18bdc80cdce099fe35be9fb03ff68242223aa9c185e22186dd1220dfa10b1f9

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 3d53c1794c727c14ee19bf8822a140cf
SHA1 6e68f106430cacb493d35f7550f4ef5e333d0adc
SHA256 da9895e62529342fe2a35162d7697c6d9dec5ab0da331c34ff7918b592c1c8f1
SHA512 ce51d838dff9bc9725aa0fdae3cada115a6853239fd405ab822be8fae646292b282a39a54a134acdba1dd54bcdbaf429579aa68b3a8496c64e44266b3ff62db4

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 52c99925e31c301fbf5642049edabdb4
SHA1 b7f60c508bb73d67e8554e4caee2570dc010eeae
SHA256 b701e91ac34b265e8ff5c3cd6b4de0bc6b301b93c6a590e78633d16e139e02fb
SHA512 d1784e8cd9f6ec5abf0aab9a6e8c78decbe15a0db765485390147a408dda3e920c3a09660bbb2cbfe49c823844bc95c5343b705aa017f98de75aac7b220d34e8

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 11d1ef2bc043e74c707784504c7a310b
SHA1 9ebadb80069fd9558748cb7e172dc32aad4021a3
SHA256 32ec860502c69f7fe8f98766d50ffbfaf09f3ab34f9536c89dc802255879300e
SHA512 c08ab14697ecc2380b01b8ba7a93b6ddf315ae16252a8ee97e286c77128f511cc25530197162642396c5bdbe3d7e8c5a19b2b666a80b47cbd24a782f2bff484e

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 7906d4a283390e50cc58487dd7a038a6
SHA1 ddba2f7507e808ea10b6dfc50b002dfc39a4ea8d
SHA256 4033c32b7f686d0b39b1cc9b8eaeb9cdaf829db7896aaf08d32432b34cb33e19
SHA512 3de9afc1a4bc293442a068dcdf23470985bd8f487e3ff6b086d74b315309495641f89949b3f962edb21f8ce3d83a2c152f1b65f31999ab99950efbac4cb3b70c

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 06c9532777b8ab0c013a8f68821f3bd4
SHA1 138b8cffda137336742ef3fbcdeec525a5e3e2a7
SHA256 292ba82d5d4b9e55cd9608124cbca07512334343db0e67a62f563db745759e67
SHA512 a878b107bd2c9ab5df0d5adcd8fa20274e592e5b6c7352dcc903a2daba60adc6717f03f41d4b192f017e327999bf109cedc297b4098c564839848a63995d80b9

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 718235f0d827f3d6fcc56b05a33d5b14
SHA1 2e9e5e84077110de86b4b7f1c1b4b20c1d09f377
SHA256 0593c3e60cd1e2023b8115579887790a2218cd60e76cf3094f7d9396102eae58
SHA512 2d82a3e3defe32cc961f684e0e8a3da3eb7114d89d748095d7cf28af61830c29a27b2a2a73edb76434e204c66052ec653f61eb422d751bc178e3ec1d81a3fd71

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 02042b6af7e4c151fe56f9813e8e8946
SHA1 58f20a751e87c951d26fea53429df380499a677d
SHA256 3945b4da61bde1d2af7a8fee15246777cc9422612d841d0000422d5ede225f73
SHA512 f7b0bfb4d93d20a64b38cae9ef9d8043483225830440c2e66cd7458468606c9597cc5f1f6467d0d05df43403482e2673680c91a22e3b5a23b51a31b3e6037e6d

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 cf53a6f61ac4fb1758d717bf4f8c082c
SHA1 e0937b680bf911e2352c54b686f5bf1739cad6c2
SHA256 d05ae8db3cc8c03168747b0712a37d8187e6a93fd468667814fff0f8af0521b0
SHA512 4dfb940905a04d737755e07770554243e02fbb756e7302a3f501008f28b70f42c4804deadbc0b9eb0101b21f7ced15ceb316f3c1583c9543b3d49a4f1c26817a

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 308e7d1fce5a642be1c4f315229bfcc6
SHA1 8d413bd9081127f5979618a336e567974d9403fc
SHA256 eaa22322f22610762679bb9416e7ca797f3411cdf0c64e87e935de3952e4d517
SHA512 e9ada7f8ee6c3b5a0b92e2bb41c2ddf043929a3b9f066321067d004eb790a3d7558ec6bd9d1a5aa7986bdb01408b47be127c1f4a9ffe1fb55ef271056172b48f

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 37b7065d5b49940af5f33529e0090cd2
SHA1 3b1a3f3a8260471562b01560aaac894ae9e3676f
SHA256 48f2766446e7415facff0605e5b06434da87f717b8169dcc3b293f4bb2dc5cde
SHA512 ea1c59716edc921caf777a0f9c95c1ba12a4b1305dae5213174f850dccfc8d4a5b46b18562ed894bd7915123e69f1ce1ad1a940ed2d952df47e03d92070cbc45

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 5110e60f71c1dc0b39a15a1016b93e3d
SHA1 1e0988b148c51e0690fc17c33afec4cd29c7ed46
SHA256 0f101cb8964570dd14d8ffdaecd8fa2fe8f5ea605d3146edb80178c3b06c3eee
SHA512 fc33579638350002f1da02e2ed8c558ba1eacfb27649e954de62879598f7e42a6d102ca8125160408f2ac0a7d47ccf16e6f86978c0d7df088f8b1cbe4a2b4b2b

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 d2fadc50d9589032e9d7c1c23d3fec63
SHA1 d03cb765121d5df84d1cb4f06300d470599a37df
SHA256 b2b8616f0e09bb43a8814431f69012f6ac83fae4a2794e178fe9760bbe49038d
SHA512 7d4f1b121b7231aa55d38d119f891ac170d505504fc21825d9623f1fbd1ad0cb1a259343eee496c39362d90841fc650108b0e3ffe381e6297166ab60dcf29e13

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 295ed21200fbae7d3aa57e10a8f5e09b
SHA1 8d37b16ec2b0cba738d8272040e700d5177051f7
SHA256 6db6e715209fd3e465f4860482d2cbfe93e495b4f81e41d1d1e2ef6b48e9e0e1
SHA512 3b655412447d3fdff06f7c55a0c3e2c301fd9139869821d9f63adf7e8cafc0f16e273585f6981324b953762cebd3977e06853e2f6e43eef34c573b21129ce167

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 c4679abdc2717bcd1babc5e9bbdfe946
SHA1 a776d734cd369db568c464b5c1fdaec033670dc5
SHA256 b65eaca258f75650c1d6c879a23d5a72968d8c3e744a01e858a1f58db384d242
SHA512 b55652630108cda8b198b7d144920de9971f26ac5cf6918c5a1a343157d4cce34ebb36f0f568de8e4f16c9fca8634dd86938f51970eefd4d4a13cb93da32e3e9

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 29b03ef75f31689e6db236b880622e70
SHA1 ccd20e38a038fdf9b5482de3826efd18fe297b6f
SHA256 57e76fdc07eb0e65662e608ce8a33597ddfc0f20f641036f287a3bfa2ae5298d
SHA512 c38399fc14691a960493ddb5fcec927d11b9d08f1badfd2f84e246eb4856c272997de9c8de634ad3e577e5dffbef9b10faec3207357534d8892d11b59dc62ae5

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 18d48c9d38ea177485defa64413c83c0
SHA1 2251a733d7f1cdbd63076ee794ae3599c8dd4983
SHA256 133caf5988b710f526e4135f56a4b19d8f2fe66641e3e69cbf0a0b638b428aee
SHA512 efbdbd28172a65de323c8bc37ea6b70638a7bc5b82b4960b69486d107f202713d16f122689434e020b13ed1cfc734631bb7865feced05cb543c44feb5f476838

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 411214bba0788a28af2cb76457303c77
SHA1 beb2d4be60315cff744dcc53d04794a47fb8fd1a
SHA256 28adcdeec60dfbd36286235c011d09b4a0336da661c84e8bf85f0247e51af17d
SHA512 48d0d64355b13db9cfba09dd867d4d1a09bfc5912f16df8b38f844088862ccbf6b6efd14db04f1c8ce1e9f3ed1d2f8daeef8ff912a7186ca43cc47015795ab0a

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 d8ff2f81009ecee5dd5b928aa8ef86e9
SHA1 57eb160fc95bdc8ea66234013de3d819ea454060
SHA256 dd016ca9ea4e968154cbea1b467b89a0a407a84283aac387da6ebef21472398d
SHA512 e2a6480b9a00861e3cc7ea0cdc7aa5e0ae54b9081d88e620492841c3acdc018d0983239f2194f9a1b6bb57c5b725f37651844631cd1977758a6f4fa4559ace37

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 7fb7d5fd192d7268d46516fcf77dba46
SHA1 9478f5249da490aa6585cdfd5a62666aa4f8918d
SHA256 fdba92ce308fabe36cc1d7d7ab64a39e788f6d6704e38c4fa03ef424a71be077
SHA512 f38b1d78c68f6c69b1f93d2e3fbcf92cde5e0752902f1c7d5bc8441daec3fc82ecada64451130ae2734727499db719e4bcc29980da6f5543b9495103a32a25c7

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 3f0de3471876315949b79b59a696eb6a
SHA1 6e0f629d766aa36e70cf0b983dcdc241283a07fb
SHA256 3ecdde74b0ba939f4435ff9811050b8fb73ae4a23426fcf0a0b629c5e4c39954
SHA512 b3ddbe0af75a9c651de814c7ceeedccdced4e0f76470b3a8aa0744357c5eb733285518c8c12d9276102e33ae6faee03fde0586717d323a3556cdf175052018aa

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp

MD5 b2883df925e3317c1f64a5b9693c53a3
SHA1 4070c77b628e577e55a7da75f3aa2ac065a98ae3
SHA256 44083e5bccdc2c51e57b5e391408aa6577c6df646b47c6df07570ab9cb0ba775
SHA512 87dc41923ae22498168e39a14bfe9001411a222b153139418bff1b99538f8e46cf09a4b2e8daf6f107f92fc478aafed8b7cc6c214058beef8e2bcf5c96b814ad