Malware Analysis Report

2025-01-03 08:25

Sample ID 240617-has2dssemr
Target 5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe
SHA256 4fcb3a6b6d3284467b0211ddcce68883da890bf61a5c875be19345311cf06ed7
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4fcb3a6b6d3284467b0211ddcce68883da890bf61a5c875be19345311cf06ed7

Threat Level: Likely malicious

The file 5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (3922) files with added filename extension

Renames multiple (5149) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:32

Reported

2024-06-17 06:34

Platform

win7-20231129-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe"

Signatures

Renames multiple (3922) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\tzmappings.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\verify.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\notificationserver.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\it-IT\jnwmon.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\wmpnssci.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe

"_Set-PowerShellExitCode.ps1.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 0381f5548cc7a30d809cd4dc5cbb37f5
SHA1 90c85734ae4ac7a97fd7f2e40636edf04da367ec
SHA256 c98d5b092adf528b10ea00eee58562915e6ca48109528954e447521ff76a5e1a
SHA512 081b7a56179435cd015c41dbf3e8d9feda7fced5515b611d37394950b303e1d90688a69344d36850dfc82f315eb93d42924677723338ac7719d828f7f17f2284

C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe

MD5 f07dda7f20c8fd8b40d9bc5707a7d18e
SHA1 a7ee35241a14c0f9f115bacbdc3a862c3614d415
SHA256 f2ea5e2ed469df0345ffcfe3a3e3268c10b98289ccb4080668a66c76647c0225
SHA512 9700074f1d96255de9a871114f375ed1ac963bca26570d52eef32db7daf651fa806e4b324123437f4cca128f99aed4d6f6e04a5410603fb3d9fabe1727ff4aa8

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

MD5 34a65f46f1501c42676158eb63f6b9a6
SHA1 15ca3998b6ca779a98cd6d53846d950149ea953c
SHA256 33ee8ab882dd37e33475b285e20dae29efb3864357f5bcc929669d659386f405
SHA512 74defb7ade6a4079bab497f49ed81027fac2eed4971c71dd53597a3f1a2170e7bb4a5a5a0bf129fc7773f5762efbd7f8b3026bc706308481428a6f1658eb5599

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 49d70ac8a800053da0aaea25126ee019
SHA1 980c235ea2a2233bf8d186c1d2f91dc5f6eb1ff9
SHA256 f45c87e901eb01834a965e04819eb401b5a63434c4ddab3e3e19688be483699b
SHA512 468883fda7ad778c8b075d61f16421c253e413dba7d826148416d87c31912ca9a20dfb70a49df251e3a0e7b601abb81cdb94f64d21da99b52a3a658310d070bf

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp

MD5 56c19f881f0b57fa45375005788ebe37
SHA1 048dd3566e8916ea8f4af943e625e68105bc0a18
SHA256 9bc73e905c0caf2c1993efca9bb7b943415b8191fd434357a2ae89d9e73937d8
SHA512 069e7eaf93e4c6fe68128ac8cf5d6b1844eed9a9cf2d18f7d734b9d3f07a8593b08e39ad94ffc898ce8c9580aaf0d0663b1fa81f5525a036c7a16820fc391bab

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 c11b4ae6696b3a0c963c4ce916d4b13f
SHA1 1d746deb9a3882521ee6ba8446005ec35674efae
SHA256 19a5349128f6c99c3799e36faf174f9c994c5beefeb0cca1833b2dce4df1b142
SHA512 9df4ebc7731b8caa9dc8c415422a8abfcf4f92aec14bf656f958afa351f8d13e765eccb7eb97de7ba1771cdab6027388066a7a00110bf6e7c4e32c6a2b097b3c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 815f4da3141d0eac5b55c698a8d34371
SHA1 979e0fe698973ffd2fa3722d976aee3091470b74
SHA256 d8dd70dd5ba8205cd825dc302a632fc5b31ec61510b0c7bbe1ec0f451468810a
SHA512 ed25f4a59e00e55183c03aa0993fc430b830e7b1eca73df4821922c88d98af3e1991127e79759fcc1d29e4507dfc6b6fbfdd692772d018e59b81fec4ba2e1756

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 eb587f596a9e8d3ba67f1e1dd942422d
SHA1 405ded6f385a1f6d7be15d1d5e8020cfc33a4b3a
SHA256 a09cd5075727fb5abf85bff6551b0af96a1ba97acf49b154b6b9d6cc0511c848
SHA512 6c8d3d65991cf2a75b83c3517872939690ebd3d45baf849de6ead73f01e4429a91580642fc853d631281c7aa86422efe047aed53a5a24b0942d85991207dddf1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 00e9bd1799bcb35fd3b9b74ab7a4a5ea
SHA1 98d5786cd390b46ba4d2acda7ced8b6f2f72c641
SHA256 b3fa229493cc5dc2baa5e50533f4e435ec0983f4a530b7aae31fb96fdd6e20fd
SHA512 9810ead0b81f33805e57b6627ce0bb3df6b66eb12ab7de6f0282d0fda4a245a25f0e941ecb96dc1aa2a172f10fc9c225a971e6c8e8da0249e0bff8ed7205bb2a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 24496920a9d82e436e4546ec54429ad4
SHA1 a6acc25da60f8abbfb8f5ebe834e54d9a4159b04
SHA256 6608a7a87aa5b2035db5c9acd0b12382c54de6b2afc3c9ccc54fc178e6d50ac1
SHA512 1473205db16b2eda39e89fe21bfd6aefad8c9a3fed8688c333ee2be1f2f715d210744cc798f98676e322bafbc0ee53ac81171554f08c038e9e5472ddb9a582ce

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 9acd78d60905f0cbe9d23def815d5bbf
SHA1 b054e332a925f6f73d9cef18550739d7c7d65176
SHA256 a330607cbdcce6194fbefba51c3ef4f6d2b04f9f727cd8da81900cb854bc384b
SHA512 47347593e34b6068ea28a290faf34ad1731e0e45bc48f49457c7c96265a560e813072630104e95a6fa1332cb4059d46536573122ce87753cbb4fe6d8a33ed4a5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 d58238ddabc8a8f37e0fdaab119c0899
SHA1 6a4e516ff2240571efa82d5e250bf98be2e79ad7
SHA256 7237051008794a54a98491e4d9abdf614cc2e6b1419a22ab507ae7f79a0c1089
SHA512 84675145fa63698b55a787fcfb98df2ac0aafb1c88d1205d708435955db351f762875f76444985ecff6887167afcd882f24fb6f2e389f8d92490be3076a1f939

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 8de415eaceb303a0106be65a018de575
SHA1 38e0b13cac68dfde0b18d0bb5ee8eee9dd362b40
SHA256 d11bd1b6fe583095d0f2abacf305af353c1db8f812678cbdb6f624258aec1d5d
SHA512 2f2df5d8964d232eabe3a61c19fb944fc4ed6bf373b3275d2d5228e4f85aa0a37cca406555f658e151cd043c9adde9399a6edba88bc362fdb720a25cdcf236e8

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 84f7c7e95932671409c248e7e194cd41
SHA1 7fcc47cb3ff9eb2349f5e315ca9c1528ec4a0dd4
SHA256 86fdddeae5f427abad8b9f7cdd7304d6d8a8e3cf546725d4edacf29e696fc36d
SHA512 6ef3bc48df628910282502b73d7bc84578b7bea78411a4f621192ac63ad54111a999aea05b633a664c4190f3759a1b0a0b8b4a9392e86e4c3033ef4de0208d7c

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 d435cb1667c406a56609e04889f60e69
SHA1 aa9b2d79679067031ee5936722eaf8cb0b265d7b
SHA256 7e5e7004bc90ea60220fc8c64c4521f8fcdce501e2145414593215f181815a2e
SHA512 327177f332f3fbc4f57be1e64d026725739606715164b5878017840790d30e45bc4c7e26682c4ae2fd0e761c6549aace37e9fa4784078975ca1c45df0eb3178b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 3c410dfd853fe3d46794c9a76fe41e87
SHA1 d382837c887bf7139498f39cdc7c86cdb4519679
SHA256 8616270b7f4b426245c2815aae3d06dff077f656acec1cd6e616e3d3af79e37e
SHA512 553198587d2a241468a12706f4fc7e55b727faf721910778e0881b6b54af19c9b8a8fe042a5d3420b27cdd5ec23a762a4b6177a0eb0fdbca55c5f95dae882afc

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f906e662fa82505b5a173cf73167c54a
SHA1 a1216512a4e525c71ea8fcec45bda13daba4bd5d
SHA256 929fe94b4cfcc793c7e45d6bcedd77fddd5d09aa523bcdb22900ec537ec6de38
SHA512 6b41d2a8c3db5b1c81d9fe2e459905fff78f76931220b7a18db15885448f0e506daa62a7cb963df614be432a1eba4d1ce3aedae9912eb661475419b1e0cb16b9

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 7b18d48b73bba0fbb0cf5520a874c9c5
SHA1 67014b9e52afefa706b2a885f6e193e4bcf85bec
SHA256 b695af31e7d77fa0037d33d97621b81b1120f060bf77bfcf426982adbe0958ee
SHA512 c0dce4e88535751c33388c6ecb64d578f25ac79da4836cfa01edb65c8a36b30b84c8159b099c2db811e595954e72414fd9a3f8e1956c68c58f4d42bcfa6df0da

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 2417f3a763c78d8f029138ee3dac35dc
SHA1 c28c333543b859c14533c9bd34343aac57e0e0bd
SHA256 6620474c4c779312a34fbea7f6aba7c9f66d0e9113ed28b7cd192aac1f8551d5
SHA512 3ec45a3d1d6f9ba394eceb890d5486b6baac67895d65943cb1182f1e4362c6efb300c4a2309db746a8c21f7cc164722a8bd4d8d7627d9d484890b2d1ebb326d1

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 19f67edf5c7769d0967ce58508c36dd3
SHA1 6f915d5f970df2928665525f525ecc7acb192c07
SHA256 33868ee2adba7573608b1ac29f050e7c81fd2000cbe1c33d00cbaadecc093bc1
SHA512 8578b41e070c6e28f4faad81ff30dfb99352826e1953e3b787758dafb6513ba4276049daa4f6ba80c57f4d5832dd211b7f9f98e5e976e31021f47b389a09631b

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 1f3dff6c27616e527b1d178757e2b788
SHA1 f2cd0d05043b5cb5ab861efa09d7fad64c631933
SHA256 a970607aae0ee1e342682b3a2b0e451e8ae1b78331d6389cd90996ddd701ab1d
SHA512 b44f6cb2e3f1efa93f0c342ac6a6c7ab057c9c24abf99ae5c4e13ac16909a0aa9d16f8b4dc7dbad19c46572c4f308a050be668eb683772fe453f899d9252e082

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d293e9631a5b16bcc886bd37fd2d1c85
SHA1 bf302d9d744031c2409ea6062498643e06eae682
SHA256 6010cd388c4ffa2b472121012df1c3a2e7c30e1c23ba6877524336d2ba9de388
SHA512 97923a173fe4fb226bac84be894dd869983d35cff90a050dc6c2fe8fc1b7702d321ab0e8c1bf86bbbebaab6068f5bbfd0be099d26ba72457369da7230e22e14a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 a99c427f67fb355aa203474871e5421f
SHA1 ac3ef4682c203c740ca8681a8d2132a865ea04e5
SHA256 d294362550bceaf9eeacd52102e0ac3a59028df7dc738f99e05cf80e4ea28ea9
SHA512 f4a8df4b86ba1b25057a75431046d64dbe836bf1226db27155575e89b7c1dc78af601847343f807712ae4d278a791f6c4443afc6dd405ede9540247b100a73c7

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 1e9fec776494eeb84429f242d9aa5eee
SHA1 ffef69c0afd3d752a0f56ba14b5b18991f393b5d
SHA256 9da7128a274a63292de556dc494449329cb72aba09702fc819cb69895c1f6126
SHA512 6cb241e5126faf1e37464a27d485fefae82466209d637328ecfa621e2d31e40335ee2c63cb1262c61230b67d9fd5f8e5746d8b62d9e4f9605c3a71d98587c5c0

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 c7035b8239fec89b780caf86e34f6ab8
SHA1 4a3892eeb17f4fc24648cfc34249dcbb9b2eb348
SHA256 5ee8f57913ec44106921efb9e09e2304fed9a41b13e7664bc452db22ec67e4aa
SHA512 3fc2a3465c65e3113bf59a71ee216a9f6995a08a03783c79d1cf921b3db5415acd0bbbdc547d011af55e9751223def27963b259cd0c8d5b89da0382db2e29cd8

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 94c517d2c8886a49e0421ac2444b261f
SHA1 2f7079d89ce82ea5070711c0dcc52cd595ad26be
SHA256 82b7611bc0fbfc7b824c42157c7f80f83537e82c166ccaf967729808ea779c9a
SHA512 d23df6a1a4c466f58bf38df4e818c89374d37748404a21a6ebaddefd0f2b914aede92238bfbea6864cf278b462049e76330d8eda4f94e8c37afab44dd9c06505

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 986106a722f0966cc26d68e8138404cf
SHA1 aeadf233b039edca1aa8990c1ae8caee96285c7a
SHA256 ae815c84db99838daa3635b02919f5494fd54cc596cc59cc059b6190cd1dac0b
SHA512 f787aff5dcc9075bdb2b62b82a6c3d3ed284a961bc8a246729ce90f585aaff7ffca3085e8168b9d7dfd85599665eb1acec934eaa7dc34c0f2f411fc27f4849a3

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 acaaafd2aa9d50260bfa8c1c3051934c
SHA1 e37efe9e0d9d3bc1c9fe5cf39b7b72cf4a64aacc
SHA256 5e128991e98a09d11deb3f34ee86aff8b5d3242486b46e9d0d1e591554294c12
SHA512 36ed065e31569e3d2c0ff1001e59d3ff2a1908aa28d07b5f7c875336666a59b70de8583775f6465ef96bc368bea76b4a82ad2e57414207153fbc5e0e8693d796

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 2f90df2794aa70fcf9bf2f0fb2adbbad
SHA1 6aee591faf21fd1e4d7b165fde00bbd7649c63f2
SHA256 5975bc4c96000486521f02528c909f260b51afec957b22c79f2d2e71c9585135
SHA512 c07cbe68dd050de037240c83fd05a85ecc7604389b7590baafe7751acc613a9227e0a152f397b67acaed31039c951b99297edf0bdf5936ab9a54427fc05f1b97

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 73a8e14339eac7ae4873a7f31cf82ad3
SHA1 cd863a6df221d499d62054f3036db7fa733f89fe
SHA256 f9321bc2a3f02f041c2a452b463680e02af3183aa744a326915d77b2dc249b41
SHA512 809bb48946878124f553cd9ffc4cc7741ae9539d5020a16531b0bad5ba22782e17a7aa64c73d2fd5e1631de72b7373c137b870e8d8f2c0dae0c2e189d760dc22

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 a9461fb3a68dae1149e31739c8a06b79
SHA1 397631f0fca76dca092150a48991ea0e40c50726
SHA256 0d056e6f60ee0d2f818be52a8ec24936ddce5754c7a7b9682f21879ca41725bf
SHA512 728d23726f8ba9842f5fdbab52f1524445045d79275a2d10fd2a68670887ed00ca8f38b13e8aa149f5bd46c5a93fd9de355b198d05fdd36d48bcc8024ff7b6ed

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 a6f47032279a52ca6ccfb7b936a7f3f9
SHA1 4ea2f5c3bfae2e59a31ce5c048dfde037bf1142f
SHA256 241a0816b3a9ae9404e6afc2868a4153cf65591d20bc7605d171e9140e909cd9
SHA512 ab7de9ef2c3b8bd6c4fe6ac50a7b987a0f949a889fcb9a53d6f8d9d7f9d622c78e7208fed47c10a519298b0814e2939d138a137515309df2384bd050c29df75c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 634f753a6aa507c8236b5e696dcba9cf
SHA1 be9758869e742e581b933a313337a56545ced97d
SHA256 1444c872676802f9d6a264643e8d7d6d99190a2211188a377877d62179bce661
SHA512 2dee42e0f02973e0be6d0c9cf9bcab714015dba5fb4f4388d68886adf2e885780c44f720f0e160b6375e0a6de06e392f6833f3bab9e830b6eafc5b6519ce8d60

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 459036ed12e7e599e4b822f836fe8012
SHA1 3d76928db54de5f804f0afe3da692a3ea8f3d581
SHA256 9d21363fd8b3f5244f3a1f391bcf607e81fabe347cab155b97b80a0b8d4a5eac
SHA512 7747afd78aa7bbc418f86488061520ac2e35e273266bcbe94655e050ea9335e2dd0975919064b21fdf08ecfe64ae1472c3b6e9b47c7a5772ae3da8e3d4acfb4d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 f4c33533ae71cb817d26da117540ba6e
SHA1 e497f5c533b5d3009a9a3938740e8e9015f1db12
SHA256 fdba5585092a2302e361ab1014d42feef75b0c40fec880387dddb87fbce95e4a
SHA512 740ae04725395da6b873a4af6aae07bb00192a76db811c28b8410b130a6886de7164ca1a5ca609d75b4628da5efcccb6a2d71cc67db55d17eecd875e122cfac6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 bd0413006c83b19cb7f1c32c1cb04f31
SHA1 cc2d5e9967a0832bd549d317af625815e6e5c078
SHA256 78ea64bfba95b6d522e2bbd9ed1af1d1d80cdeead5d05fff5a9b7b528aad2f20
SHA512 90ed77a681d290cec158224e5d27ac0c20fea0eab64f8f97b7260046a5718143032e2a9180f8a40d8aeb06de564612ed6dadb67dac5112e0b548106068400b64

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 340952e4041e13200174bcf88c27015d
SHA1 cfe401ec92d2716cfd793092853b2eb4889ea471
SHA256 0b4ebc70a610425fd4e22bce5a98dc364a53eb457d0b797fbde0546d565d709f
SHA512 94664625276ed05ce27dafae4df448cdd35f94d0b32b7330b20ab3b2cb0465a8e9cc3e1f5c80d78bf0205a153ba9cbbe92397d98e4d1e586c51538fdc2979b36

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 f3ea30d1038cb52c9b25702ee739adb8
SHA1 19a7e18e98d274fe366ca9bef96092151345e571
SHA256 7c60618153fcb96064bfef4ca178582ebb26915ed4ed5de6f34deebc429ec045
SHA512 e92e896d025c144c808e0413c039f9383ffb8ab133c6c8a705c734a13c314532ead0fba0076f265b5e0c4c534ebad0c2807631d662799c5bd67be33253265aef

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 72d4c17e60006ccbe8e1d3de35f5676d
SHA1 4889d8c2acee97560a17436182f530efd22b0ab7
SHA256 cd43c1131a552d0c645ecf461d9b232bbba0c9b52d45dff742f3571996f42d1b
SHA512 b5a4c01f3f3914a4163af043614a4f37fa567f60ccd99b41613262a371ea6dbc63f90861a7c3da10245e38ad50e46f92a7454d899df0ed1093eb0148cc6e3429

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 995e5f77648d4e35ccc35125fd332c8c
SHA1 8bb6b80fcc29958d2f8faa446a7feb4b669483be
SHA256 600d69dd5549607e13d6246dfb431a9bfa02da95074bd40089439b97514ea9c9
SHA512 844aa474f8626ea2b4d69e5162fd71b4a40727d9920b5dc232e7e7d3cc177ffd85a79b9424ad61497b8836382d3cbf1ca181a2d8cca0db49541cd383e9ad4e98

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe

MD5 e963b14f6bc63e42bd8823cb87281938
SHA1 4aab76a30846b6d4738ebf21c3de13d318f3ecc7
SHA256 574637618fda7fb51643579e5a080be49bd5f5d91a28ec3c1be28db0224f77de
SHA512 2d020ab5093b5455dc79b354b212619439dddaee45b01205309949bef03b57f640b84438bd7f309d322630c41b89dd7d912f3c6944d9763892d0c87bc879591d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2745e22f45adcc0ebc1fe0c04e8c8345
SHA1 d30bc92387dd55728248ede65b4f6168d766614b
SHA256 66890e0ce1312627d8237a6cd799091703ca51c910d51d8289e00b11f9bd9ad1
SHA512 9c1bdb5bb6363401319e1de4eb84262f2db24b045f3ae38efa8155ec4a574854a1c5ebc2f547abcc820ca5cb2e1792f2f44b06d2e63b956ae04706568b8718d7

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 bcc821aa3581d7c36057adaf0483635f
SHA1 06e22b96a326df9b81c3fda1444f1db55f48235a
SHA256 8f9c48d9fd43fe4c786a813226b3f41422076b287ebe7323b2938d7ae4f582b1
SHA512 f3566d5daec5b3de7f1a1a8afbfab485d29b9931b1511d7a583688c18b913edc0f2eab79e58e69d25789643bcdad744a60e91b8b66c9f75b6f5c7f621d9d08a2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 72fb17ad5518cc4d4bf238d8cc78699f
SHA1 60e02bd90fcd8dcbe5eb2121be1f51aa4afa1387
SHA256 463a2575b2189c57a81fc29034d70a1b43a6bd30611a88eab7388036881bd33b
SHA512 b05881c8b42403f9aec973f2f0947483d55d133757f57146abb9d7c88d60f6d4c1e2c9ef71d346e43c522b173cfd63eba2f5ce92d2dcaf6552bd698b3bc82199

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 be035aa7a118e21c439bb96bcfe669ca
SHA1 87e4f5a2652016cf44d537e385cdc36c5dcac420
SHA256 41318eb26d1641fbd0322a9d8a815e8cb9b364fa9d683dd9414fac064106e4ab
SHA512 f00cc699e8b9ceaff6bb3fc90557ed0f0e5ad5849c9e6ec4deec10911da45fc7136ab6f642f0b078d78e3314bd793498b2adfd325f2eeab3079c6e50e59675ac

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 a5ff988110534420025842b023693a88
SHA1 1bf9262530421fa81ec77ea4d2d50b15ca5cb406
SHA256 bb557ac7af063d7a96e0864d0f454e4adb520233293e91da7c5adb5024114e8d
SHA512 8739b7be4765ee135dc6bf88a8fd3fd3611967c5e50391e626fd7c3981a2c16fbac8329bcc986760e4f28db89d11636bf25f92b452cd82718573e333127e8312

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 27b9a631c0ff1b4b55cb3a67fc5e802d
SHA1 361d2b797244245193ae89d03335148294891b76
SHA256 4375cb76ac44851f5f8f49e89177394b1bf7ff06edca448120a04021303ac668
SHA512 d101a90ca2e0e58d1136280618cc0e21dbc4a1bd09530ba27df11fa6d328d03955ea54cc87624d5e731f8757cd1ed7bd100bee5675f5ab736aa19b1092cba6b9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 a483a00db1d7bda3b45fc6270ae32a6b
SHA1 d404de96de9c6ed9b4c728e366e6251125a712ea
SHA256 37311b1735a405ca2a3add303e2602a9445e6eaf4889f7015424492284deb7ef
SHA512 d08c83f23387589c89185a7b0c53ccc2a1aa72c2769f3e69d2392d1d87e17a0ea6ca5ce0ae88cb30d87a89c1cdcf3e79d3477d92f83969c0db6e14e7fa3d8a1f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 7a347db3cb4ff80d244839d7d695493a
SHA1 f8f65086443c858be0273244468aa2ee80081a37
SHA256 b7d48f408a05c6d7942ce29699f4228fb894cdcc7bd5b50a24e7aae955b771ad
SHA512 147e384966e2d6f68a1f4dd4d870f9f67cafd8a9326f6e3a409eb26e8b5ca3cea21ef3352c7b3fb27c4d2c9df089b2ff94d8c95751499e3625ba8603857df2aa

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 5309b6afa6ffffb393ac991fc55419d6
SHA1 07eddb9c8f82b79396febe9ff271f8ccfb03f0bf
SHA256 e89981dd86e156e36ce89670bd8660b20336522d3cdfeba72260e0a227e9460c
SHA512 0fb401434132ba6350ee9482a07b271f345b2ad8772da7113ccf3dd19b3ff93a74cd9d8562b16a07511f48173f0a34b97e7350121cd4a887fb3aaea9df79ffb4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 0286f7529a33e7b0cf0efd2b07279e60
SHA1 a48399b1156485ce88b528a13dca147b799c1d3a
SHA256 9f112ce60de717800489c2426a78f3be5ec4f351a3151a5d3e18c8953960c8e0
SHA512 9b9182fc2f37803f7aaf076e1b1415be9b74b95fea0c2c1512b872a8859ab23e0603de9b07241ae090aca0330d5dc17162004d8f5c1733b7e5383df26bdb6765

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 af277f49f27247a98d88d6e6f7f103b7
SHA1 6f44ea3c0ac8f4e6dda6dcaa4ef522a321a3f49b
SHA256 7a4c5fd5e2cff9b2ab7dcb4714ed2e42b09e78324e858c89635d25aff92d45b6
SHA512 9f06f8733cf9b16a558993fff4341c55af2535e649de40d566810caca4e3e7c80bd02d7f4fad5090afe0e5603f0b24193e4d92496c0b18895a635e4d23798fb8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 56f50061f367f4b8b469b81a3123c990
SHA1 d6691b1e9fd198043155ce99322b9f74376b4567
SHA256 552e9777f722fe8dce3ceaa90d91a626fd874fd48a0f7982d776eed76f2eff65
SHA512 c067695e34dc4c99aaee4d80c2467c418ed9e74c8f380987bd332b8cee28c7d929cc4d04267b26976f105c99d35a488e2c3da4c3c4339dcf5605060e1abd9f7f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:32

Reported

2024-06-17 06:34

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe"

Signatures

Renames multiple (5149) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\110.0.5481.104.manifest.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5a6c9591417cec01a5e98363acd41e50_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe

"_Set-PowerShellExitCode.ps1.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_Set-PowerShellExitCode.ps1.exe

MD5 f07dda7f20c8fd8b40d9bc5707a7d18e
SHA1 a7ee35241a14c0f9f115bacbdc3a862c3614d415
SHA256 f2ea5e2ed469df0345ffcfe3a3e3268c10b98289ccb4080668a66c76647c0225
SHA512 9700074f1d96255de9a871114f375ed1ac963bca26570d52eef32db7daf651fa806e4b324123437f4cca128f99aed4d6f6e04a5410603fb3d9fabe1727ff4aa8

C:\Windows\SysWOW64\Zombie.exe

MD5 0381f5548cc7a30d809cd4dc5cbb37f5
SHA1 90c85734ae4ac7a97fd7f2e40636edf04da367ec
SHA256 c98d5b092adf528b10ea00eee58562915e6ca48109528954e447521ff76a5e1a
SHA512 081b7a56179435cd015c41dbf3e8d9feda7fced5515b611d37394950b303e1d90688a69344d36850dfc82f315eb93d42924677723338ac7719d828f7f17f2284

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 5020239dd35badb5fa1ab71bba177b76
SHA1 3fcc6082e052b8ec3c30e67b9ba2bcb7d8d2f22e
SHA256 d18f73d616846f835e0d79bf1d1c0680735e0a3eefce0d5cd3c93dacedae73a4
SHA512 05bb53a4dfdc5f359766f8d5d7ec776a82f112377ef7fc31503c4a4ab66ac72e25a2d2f930f8507637e9b585a0274573ac4d81056f33145d3e2c4622d15fbe1d

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 45b16a6208c30840a79a1623f8e6e0de
SHA1 055df67ef80ef00b8be3e32fbe2be98e736228db
SHA256 d0a25fa56721159ac609c370afd15886dd66354556c5a79c8597e4174a28b487
SHA512 db37f0af2fa4668acc4330cd115737bf9a56528eceb13e6bc3bc5cefe9526869ef17763f6ba2d3d89624fc706fd592264dd1ce8c8d1141721fb7cc425f37ba88

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 426723c1b66aed5545ddf9fcaa199d0f
SHA1 94e27d3979a4ca203f188f81ea7017c997123864
SHA256 c58b32e29f969ec31acc2315fb63d75d72749a765451fa93207f0b08c0773efa
SHA512 2b196b005d35d73e70d6fa791cd63e0620afe87423483f00470c5c524c92c1e8b3b1f190c4040ea2e34e73cf0e8f13ba69617e5efa4a689ae43b4302d3893cdb

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 14523b57c5358f99c1be78d62c9df22a
SHA1 d15b54c97e64d6be730933653f3a61f6463d7e87
SHA256 96452eb9792cf5f0e6add786200a3e3fe9f28d93f58434d3ca3df912b86ba9ea
SHA512 f850208e0190fe8293d9cf500cfbb0c683b6eb067de65775f33c974d9087e1bac3b2ab43fc4e3ab246235430f28e89644b81f2a71955a705cd56606b8f1299ae

C:\Program Files\7-Zip\7z.exe.tmp

MD5 a4bee9c662814b5bd7eed61552fbf068
SHA1 48fc594937edcb91fc52daadadebaa0b9fa62d63
SHA256 5ccc55e2ac7a45d26a796db8ec70365bda30e0bd3f40171eccff364cc8e6d593
SHA512 59e5305e9fe58c6c1c06d6889b9beb7863a3781cf7e217b853351ec8f8d489936dcc17125fba53f0e3568c62c2b5989075111156ed4cd5fdfcdf9fbb44d57c71

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 33715158818f763bbba9847408fc7155
SHA1 f919b9c2d5e8ff2aa7e75b6afac8bf3e3c3bc1a6
SHA256 326b7238dfce33fdb73894a32835e242ae4cb8dc9d773d7c74179e7b419735cf
SHA512 981719a8c9370eed223e709d9dd39409add7e402be3044a9a9b389d8904c65da1fffe3d2bd8f7af6b9562a97bc7544560e3dfc7eed2d19e7626bb89faf9567a7

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 8b63db5a841c156488bbab4ba96e14b7
SHA1 e33a443bb4a08c7479cbb44a018d55d06876bab1
SHA256 0bcd19a84a615821eb196f9a2a6a79ed4d01e2895b50f60ef02012a92d12fa07
SHA512 259c9f01e68ef021fc6cc1df159f69890d3a0e588181d9008273094d5b3e010a86f265c298330385a51409b807354841696ad38ce508dc22a8186ad84d801e1a

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 7e707bf438eb9ed64616c128d3177ca8
SHA1 155840c1cdc7b453b77c7d44c99afdb6a93f91a4
SHA256 1c999b9cfb81f5c433341303320c37c1c8299c3244d30daf127f1a431fb05bba
SHA512 d8e5971398bdb9425568528d6bb98d0e68130bf9a7a6a36fb0784c823753eee25aa2749e71347e79e60bd6ae90e8dbd70100cfce85c52290e618a83a007f3db8

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 9de66864f8eaac18692652a5f1e163cb
SHA1 ed6c3e0b86d5cb842d95e0234d7f6b298312abe4
SHA256 1b641d1eca91ea368c9a1b211284ce31a3202f82d718ad880fa323f4cf708a5f
SHA512 240fc6b14815c0384677be06105617e37cb56870b2a8bdec83ea7ead20e4e0934c1bf72e8963e9f725cc5d62705605977724a61ce595ba0485132c9e05d558c8

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 169eccd07e191bc0a228f4347a1d0e30
SHA1 470ce42b903b91aff36a1974e8ebf5211f9d113f
SHA256 b7905b074385cbec6c017b44b367a983b7a1ecaf9d6769701a69d6d6ed099447
SHA512 93571f97b46436d9071568472503e7e8e3105dee3221fed0e579cc05506d2a61f5bf33414d168a65e0d5e22238090531fe2699e9a75946d14a8ae97082aa0f01

C:\Program Files\7-Zip\History.txt.tmp

MD5 45ff51f7ccf4f439fdc601dcd8cd96a0
SHA1 175116c15df8d8d292fe2c4305de3f8a07a5d7e7
SHA256 5d26872d4b66682ccabb3eed596df0eb17aa244ad249100a1bc98a651464733e
SHA512 a15b3b6f43d1992262429d0effb1312233507415cee98a25601d4c913911b892b72898cacc6de2972639e4578105c2ee4e3d27c68f25843988b22c78320fe9ae

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 290bd9e4244981d1d33d1821ee942fb3
SHA1 ca4d7a1a284e59a2a0f97a422792521c95821ae1
SHA256 aceef7d95f78f77c787de7c84b7fb67388af827c7755bd62e063972e41d08006
SHA512 1b9e3c47ce7989678e7ecdaa185108e70b9cb4ebc5bbc000c50d8ef5b0707cd7187472db45cdbe171de213e88bd00afb3cd08d40ad9a1085cf67fcb2a52f763f

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 2dd4e4a6756a4e31372270762bf2b823
SHA1 b747674a15ea57fd8d63a969c6dd492290ba3e31
SHA256 8929d434cb2eed25e780cf106e9ce795576e76f29f152dd8cb0363c77c557148
SHA512 28b25ef337a59afffd777545071f7f1376701690b48a80b5143b90f140883d1d396b000a6b6eab5102bb9c67da121e02eaa8b55eff9e576f26972c491b12408f

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 ed56ed123fefc7e61be1f13c98488288
SHA1 cfcaafe22fbc2f39e32bceb5f1988b7671018a46
SHA256 fa2518acecf7ed9eb50dcb17aaf8c9e5df5ca06dc8915bbaad89cd6d5263e080
SHA512 8b4cba08e623c1e1524f956c23d8181c1042f47a896d59e670c4615568482b0a6fdd75bfb6e34026fc04de34f58f51f7caf3752d7712fa726c51e184d05eca45

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 13d22c450e236daff53a79d60d1b5e54
SHA1 e73d5334ec966fef0d9b196de7f0dcf29d454c3e
SHA256 740afa9e0770a970aa6474fa41fc4fe48036059c73c56e42441c72d2fd613629
SHA512 5946ea81adc4b1a9ad7800d2301b90284f6f856e0e3923bab8624757b6b1355e992d1dbe5822930f39cbcacd83f06e1acd1f975b9618df3dbc7cfc8ae886b826

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 c3681ce908d770a936972690a6a6179a
SHA1 77a4a1029bb771b42a14c5c83988d9c92babbdbf
SHA256 7e4b76c9e62d01708be5423214542c6b4e82a9097726c15ecda76fde22484716
SHA512 328b0922dddebb5c37d0a88a95a8d910dcdedd70230736d7b1a41428ca040179fab30961d479f3710868425fc6013369ad5b6072877d4e388e37f4f23ca10622

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 7b8f3239dc499df24a120ebd0a3b0a73
SHA1 7ae24aa6612f62d570b695aeb7c6f545a13e9975
SHA256 efd84ea2847fa4317858851a55505520600bf058b0e37c936ae76baeeb59f80c
SHA512 3ee9f3e13c07f7a4fa9121725937c44f6f076a7d92e24bc89723bddffb690d9aebffa16429b1a3dfe29aed86769e93dc828ccb982f0b4e7466ec7865cff96429

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 ef045ac2a8ea9083b124894f32de97e1
SHA1 cc3875593a51d23fb5370db633854ec2e8a907b6
SHA256 d4b6c4ad784909747dcbea82bfc56e11a8cdab497ea77c1148d242d7b176ae42
SHA512 b05ef7a47bbccb852e9512c474acc25c09ef6fb91f98b88f04fffa2b0ab0b403f3dff3e0ba7104f4e38dd0c71aae37429de70ce239dc1d5431fd270ad670c88d

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 92723b8c7e2d5dcd29882385a3d0ecda
SHA1 bcf30d8c03963fb6e5e6e4ee6bc92d24f862b2c3
SHA256 9113e5ff99a06cbd2b482be9c9c8928efdf67679a6f879abd1cb437e14a09cba
SHA512 c43a3d78a02836fdf66593c0a7735e1d25dffe9469391cffd648bf1846457c56fc3be175f96848407c97656964b906257f574a0ae6a4f343bf784ee19beeb7bc

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 bc24efc426f7a062838de1e3de26c4b4
SHA1 3ece2ae74f11f7c8c7bdf5b108b1d59cb6d49daf
SHA256 9fe6b39e110b222be38007a07da6c1a43721d26c33b074c3fb8576bf53a40dd5
SHA512 a4befaa377ae4ddc529ca0223b187b0e1fadaa594b58cb261e80dbde710aa756f3ba1572295d0ff4c1e7c80ca473dd96e830c8c590877e4df854d3ba55338fdf

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 f2b6d0b4b4736fe74cef93f50489e8c9
SHA1 8f1fe2aa2eb89b6fa6b697df963b1995d6b869b8
SHA256 84e26b5b6e28d7863cea8cd82d62206455164487acdbc03621d56162fb979577
SHA512 d1470e4ec74910ee54c498bb79700b1868e05a2023e1e0ffc0fc313885dd740b622fc98bd3508f67c7434d913902d9be40939e2c2fcb913a33c55f7309e808da

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 152fc364b5bc95f7dcd4637624be4109
SHA1 41ba8a7f5c884202e0a009dd5be17025282697e0
SHA256 770a29437b9cfb8cfd0f7b2e66b5e307d5133fed1a8f1300d7782a2f192d1bb4
SHA512 ef04b420dc013c348c8ab9d4d67a57889a481a1f29bfccc6d15e648ce1cbc7b0da75deaff31ca80ccd187cd95a28cfce71f2d833d694565b54edb8bbdbc21678

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 04ec831bc74e9c80c6c83adfcb20383b
SHA1 506ee809b375dda8f1c630ab571aba1f276c5cab
SHA256 2a44332154fcbff446141ab64bd897a51ba455172504c5e709bfe6ba3d098ac6
SHA512 cf2afa3fcbb868e6006ebe818edb84c0bd5266d47694905b68ece67d3c04f487aa34911adb5764cd5105b41898d59684813880dda3f1ec6a350ec4975e7a76e8

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 ad5b5e8ba450afec8c01a25426b01efc
SHA1 1c29a9819076249d152e5cbc22eae9fcbb81bee7
SHA256 35aca635ff6fbe9668440f3d804c3e58903ceea70b88a9973a17e34238114206
SHA512 5d9c026243779cb26d260e254a44b02c40163e0aa93ae96965d6637222653d58dd788a9852eeb5688bd7aaec995f4c566dcb0154b6322b51c40348efee1db72f

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 367c7807a849f6ccc5c414790a5fc9ce
SHA1 bb0a76e9976e47b81ecd56eaf731736a6440f697
SHA256 39c5af14c86eb9804d0c9b5531dff5052b3fd5fc7b0d4f548994cae2f25d5bb6
SHA512 13fc7230068938be3cf34b682ee9e8c154456c02da86ed121a1e33cd8987e17a15ecf9ed8d5ddd6f95156428a24cdbf5aa523069a48beb323dd974e2a37b4fa9

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 71630ce333d865e5478ad9d903b393b7
SHA1 6c4fdd212c1d19b5ae593e99d4f57479a540d1ff
SHA256 efc78cc7acee8c52e410e8304582d25de968cfb6251b233b98bc106b223f584a
SHA512 b9de1298c2cc70084328d9433edfce181b593f8f75c4e809cf870b4361d81b29def866644fd35441858074f569950b3ef9b1d0037eb5265994466ff397ff32bd

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 1e3358ad82f11d4186fc04364596eaac
SHA1 8d5d5a20679f112b5a93c4b0fc1b2a4ee60c2b19
SHA256 4544e4854c6675932018c8bde0fe5947689515781f0f7d49ba8634f2b3ca4c38
SHA512 b88b539ac2dd23ea6d82dd04ea0d7457c5012b17c68f2bd8a239a575518004252721a4647e1b20964aa2f0e9855f072d816cc734f55b077a0b5165874ad56ed1

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 65221669e006c94835b5fa4c2a786ebb
SHA1 adff292e7f339734bf554c059f883d5c8184af51
SHA256 f85b8355dce4f0dd277960f813144a8d5c546eab9c2dd10d15143b0617983dbf
SHA512 7be2edfe0ff7e4a48e558d2c446722c3a42bfcd611f1713656059c1a388f8cfa9d79e64b0bfed329394a371d51f54ae8c09fc3e73c7cb806a198dfec1985b5dc

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 30f4f5fadeba211eba915fb3bf171c8f
SHA1 069bcc2f4f20dd226ad3ca13f2543806802346c9
SHA256 3c7e0861bc6dc75bdb350f1d9c32d0378f28491063754aeeeeda90d74f5d688c
SHA512 87d92ee348b4f8ec1dfa3aebe66ed0e643cf5b626a7a40faf9cf56f77bc869cce44be5ce4d951faa0d2c5cabf571c9e6bdaa1283e8da562440949216e9938f03

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 a14d3ee4bcf665839f4d59dc17a35154
SHA1 c859cce3027dffbca7f71a94c5b83962b7a66a2b
SHA256 6b768eb31a441cd9715d977da88520c66bc953533efa1fe1a52e0c4eab19574a
SHA512 e2f9ecf9512708cb80e9143ad9798d7dda235ab6b8e484aff37238a10f72118257c02ee89cdd838d4a4b4dacf3b7df01a8f1741f0db84a99429e79e9104b897c

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 6ebbd547514bd95af6ef14eb7973ff47
SHA1 61e28f35643f1f9f04c7b0258d490882480901d3
SHA256 77c54899ac5e940185f708bb976e557d5c83834d654d6061cfcde7f02c5d4907
SHA512 bfe70f1bbe70f678a23266dd51da63bc2099fc4d1ef8cfa04fc831f099d4184ce0b9f38687710f86d3054b43c73cb7c007b1a4edf4e188ec637988503b0c97bc

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 44fcb73259b090194eb143393be5cf05
SHA1 2c4c81ac22dcedfbc9a137fd1fc03651318a0a41
SHA256 1157aa5362add0dbe7f32fba4ffb4450116cb89a1164a25f57e5315af9fe82a9
SHA512 b139a12c4cee66e3faae5dd40f40a7b1806e886b38c7b86c85f1bafa5d6d76fad23da0cde8cdb8711cd29f09ceb99d96d9f42fc3fef85f11fb73a1cd4782ea1c

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 220e868b3b4ac55d81714ab0f7a2eb9c
SHA1 34250a45b977f29776252c86ff309f67021882af
SHA256 b2c32bf420f9c1c154e01f939e1e0586d1edc1d3b07448911fd135ccb87e628a
SHA512 ae0fc7001d50d394b4292ddd71b54f660300987c0f347d900d1a48e3a76131da0cfe3727b3f93ad84bf76da5d578e64b835c45be57ae0fa24989aff20eba88b1

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 4fdb2d41065ef2b895d8d92d35abc26c
SHA1 c01391bfda5a1b4798a12e054a719f427a22fc74
SHA256 a411ad5d931bd33a7af64eda9e2542edb2c9063f37b7878e33d564a1a7be70b2
SHA512 b81625874ea59630980b1f1877fa769f957ce5c16db33f22df7bfe21a313b99dd1907b5623482114a2d750b996ee537c577112ed396d98854f57fec811018e55

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 c832ea6dc54d7354c037f4a109beb5ac
SHA1 9b197a731db47ced49acf09bb15c2fdca44c80f1
SHA256 14aafed490f67f4393225ad607f325b8b2366db4f2fc11a59efca996e6c9009f
SHA512 b2a03918ccc50e54e300429f8d70de96910e008692b973d576028f86327b1da9f9aeb4b18f8d042cdd25b4af2929353dabd18b6a8ba2dabd01e0b7dae8f10ca6

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 74eb1800d24734dc8e8a10aa1d722aa8
SHA1 0cf7194287c0a8d53b648c4cebaef18deb417144
SHA256 e70084be08b0fd6b82bc815cc169804c5d8ba8182aaa8f1b779519c9f7218917
SHA512 ba7f3c95597c98367d040b15da9ff0d7789465be5b19befa35d580c48077ecce2370b9c3efa0f84828db7c4482777d2f28b1f94a0177d81b3345e31ac71b4fe3

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 a723d0a5adb102245460785e52361270
SHA1 30413aea9ecc52083e94e2f69d8317235e61e214
SHA256 397890050675942640c06e0366bd37b8e239afaf642118aca2857eaa2baed2d3
SHA512 79120add8865a08ec818aee0593a7713b7dd0ceb036fd81e0a6f33817d7446fc0d2b9dc5ec8239e9a163053b943c66bae19380942513bad97700844659d1bd5a

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 2b21aa5a49df0feb17e7e564f19a5ed3
SHA1 73a9cdb016bcc334f0e6fcf7fb5a8b5600fede13
SHA256 accc0146accaf6ab08e3198f58949c0754d1d6ebc380e37671a2b0ed1db30c39
SHA512 a4be22789768edb141b2b0c2ed41dc2cbdaf72a12b612b51ef59a0abd01f230cdb185295000ea900d1374b539b463af9c37e81a7f968e7d51891b46df76572fd

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 4583522a7ef47313d3d4fabe7332a444
SHA1 f3848059e27d0d8ea1820fcb9b53fbc33090d475
SHA256 0540dc25aafada0ebaf68a4ac293e67354f033792a81a08baca9dcae3f01fd2c
SHA512 e75f0e86843da92ed39631af10cc350ea7f21b046c8773a019e9efe4d343a26d22269593da886783a6fb9a456ee2e23b1a39f4fdb11ce269d8b34cd4df09ad1f

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 bad41bf8b8bbaa1cda21aeef30fb39cd
SHA1 18a87fdbf868fbbb2efd8f7856d09e65a12697d6
SHA256 e3701b1c193601c3961ecdd7503e7032c596fe2ac22e21d2def090085641b9a9
SHA512 e7b9bb4f5089a86508b6323991879aee4b835c48963be8df642a2ace2999dc0aa5279da18d39619f0b725379e41f742c1be9f3b7878daa38b282781d17aabe58

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 f837cbee33c8ef53a1dc8caac4543672
SHA1 56ed105346a0123e86645d3f2e18143feb22497b
SHA256 812ed578c330e223846b81537281e6dab57ddc49b1f435756875130329e3254e
SHA512 a26b8d8855759bb45381ea457999a3538ef1adb7865ede517eea1300c3fca6ce5c0c4a6d9d22ec0bf925665e513e7140d72b7ba6937d2648dc3a90657e17d65e

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 5cf750af6d8e7787707ebbd261e7c49f
SHA1 d4800295756033e782d1ce4c9f3ac8e14b4ad1fa
SHA256 282846079408ceb08a33ad4ba33151f7eaafdc75fc1b6487d5c1aa8e99eb663d
SHA512 c01f9712965afd983184007819cff7f7f2f7f1edb4dbc585b46afdaa1c60ce1f8e8ac9978dddc29c9e0c3eb125e9f43d221ce3102c94d837b3980a001c988679

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 835c09de05e41d8abc82d8287b759757
SHA1 d08d98cdd8d457ad92a3bc50c4a76e06b546b661
SHA256 4ffe5a368fb7731eddb6f761a0a311a6e77bbb2a8283d36e0d4a7dd03817c334
SHA512 b15eea895f6d14bdcb4eb68565a17bf1c1578c2340db1a8349d8897758a2a37e877283ab72b7df0be038240279b1266c86e9d044a150c35d9d4a16e64fcecea5

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 e1df3542e1dbc9451c3a4edc255ffe58
SHA1 28002a3777a0af913b4a9ce0c009725a2a78bf8b
SHA256 c962e2c40f48b93e3945774ca5dfb47917c41ea17f6a54facb4e4504843b08de
SHA512 a842a6814316e31f595ebb95655d2cb66f27e13f2316002e513290b4ec36632738e5d5bddc27ec70b45e2b774cd4990935bd8c648218849fbf8018dc7e30737b

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 01f158bb03a4b70732d92754f5aa18ab
SHA1 c2c2c4d2cafc3484df1ba81d96249267f45b9ccd
SHA256 ce1218fa62458e865111b4c8faf07ebd2fb6f0c836b2ada76e736a5c708a9120
SHA512 43c0f974d24abc4205134c9fe4ef883c85eb8a224c0cfd3d762c4bcd8566c27c9bd8c1a8deb12112ca43f8994328daa2ca2c3e7bd33e5d1467ec85fc096678d7

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 72bd18a20666279dd74b3363da4dd232
SHA1 a607c1bed8915cafa4c789e324f0ee47afd3f67b
SHA256 932e9512440ae816ec9a1f049552d1363b29c005367fe7c16a681236a23152de
SHA512 9be2153d08e25a3f03a95ded4c85bd38f245196a174930a2b95febc9a4517c3a9cefd6da7fabbf31d75e5fa824979878ebc87beb3d40f5769271beee07c9c179

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 642ab8b362619cb04427efcfcbd18675
SHA1 410d1baac001d3ee588a4d458af0a9c1586b4033
SHA256 df7f96615c3d13c529d897aae8ca118a9b86c47eb96a8f0889d7985cb43b1518
SHA512 032dd83e1d0dd417d20f15a194b2300743ae4f9db76b9378aa2405ed91ab1d418206ddf81dd7c5bcb920c2a7c87edb3d3ae613e1ff0f0bf40c575d53c92d0053

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 3407c28d7ff88ad1bf2db29b55a0add9
SHA1 ec751df2f5c7acf80c2367493e61ca8a9369955a
SHA256 8b20d9f7458a07e1a336ca8cab16e405e032599c4e2695967996a6d13fb5282e
SHA512 b35abb020517a42c8925fe238fdd8c5fe89d89fd9f402fee59c00556ee65d0c5c0f3021aa7c314ea4d53442014e52fce94665fbdb19f41299261ff376aca09a4

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 89333ed3139588f62c8b165f4908c9c6
SHA1 7ce8a276224e456e988765e8cbf7608ea79304be
SHA256 35a8d252dda9bfadc25f402102f92ad4cba7a53e557e468e3730f88bfe6b2efc
SHA512 7bc5db8159f675cf2e5dd5408f5a4ded4462c2c1732fc22a320568a38c1f301c4b8086f73c4e6021ce77e4ec077cc1a3568a7f859d90be103a4bc95510dfa0ae

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 86bdf7b5e70ead0d3436c3afdce0503c
SHA1 22829061022731438182163d8176d50f7a96c5ce
SHA256 f5106965d1317fe2b1b2e2260bcec42f6ab78556ac3b8e0b89b248ca7059fd70
SHA512 906f6c8f8c9dc58eb35ddbef0176a6d4e92acec4c4689825f11ca199780dfa0935092be672a17b1071fdea52bccb86546cd5b96d1d3e2b11d5871fa1eba8c1ae

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 f2fc2d3c58827ac95459a41230873f54
SHA1 09db4300316f6f64f348c891b23edecbaa12a9e5
SHA256 c819835090a3d1e1dfbcbad45150a60893ba2cdf6ea0e116ac9011aece6f76ed
SHA512 32d8f640c2a01c19b9f16667b9dff781eea9800e9d4c19519f901f46cfcc64a9342082211625f28017fc3eb184c5fde8dc5b88475fe89d50889b7e6f9219e3a0

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 ca03d2f787b66a94c73835a101f82378
SHA1 6d1daf1a58bdce57bcae2a5a5fc4193caae50d81
SHA256 8dd147819982e0ce26de1efd2a523ea50c1c9d6fe230a0705106e00861d385bb
SHA512 374fc4b81edfa0380e4e51eb252ef433693e43971ffb7dcb093515554548abc18f17dc17e9a98f5a9384efee3403bb0754e786d3ed4ff947c123e2b0f8ac75e1

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 3e024ad0c01386fb75c6f06420758054
SHA1 ed16ed1aeaf2de97d1d50aed1390cbcb5bc03953
SHA256 ab299516a155fb0471abcba32b80ff9bc568721ddb205468e7f30b16949b2799
SHA512 7e6904d15c19ed67fe279e2816a08ec42127614ea81ee4fed437a29172d8e40cf560dfbb12f3c1189cd36b558811840552c8e881d37318ae7dd52e477bd74ea5

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 25ed120c6807a438508b1f1ac44fcfc9
SHA1 bfd0eb108618edffad0e9cbde66105b186a6adef
SHA256 e08cfbc243b6d8f1eceb85f2a2636ff109e55a4e26b28fa54b1a2822c8b914b0
SHA512 0255564a1643986a99ef60c1a3fceb6b369239639b42aa7d8b90079668b831aa22e1c2d44972196eff60f19f2ed3c20d314729f0f167b64e115295291d6190d7

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 93326c3e47eb965c2ae21777542aa84f
SHA1 b1ec9c96f2c7e3a34f29eba5863705394546e31d
SHA256 4cfc094639137c1365fe1341ef91892fa5beb5b9022a3a468e6dbda600eef66b
SHA512 14ac55419e73ac363a6de5551cd32655eb1eca0e16178625aebdf20d065ebe0153035039abf53db774bf8de3a3f351174d44a086557f4b8d70099fd09f98369f

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 57ab0d734a47c96e0c4a669352e0c716
SHA1 e6b2ec3e218dc9fcb698da0f171ce4e3d7557d3c
SHA256 804c10fb27476eefedb2328a117baa015b3c9d5a22557e7ceca6556093af23b8
SHA512 e358132e1a4ea2a9b1b07de40d4994a9eae8099c5a4f1cfdb15ee94ad5a18eac0c0e8c59325b5fc6fcde0c5f256cfabe96b04868ff0d9c87c7311ad33f653343

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 172e3817b68179eecfee9efaed3471f6
SHA1 d5f5d389e9ec4c60613926c64aaab4d98c2e1742
SHA256 7878af3b58032be415016b79a20e7ef60c2fca8b92149ce7cc03ba9bd943e3dd
SHA512 c1d8f066b1f7b76a444ee84cbfb44f8c290af2fe36d4918c046bbaf4f9128f5b1ede607465def94e4b3e71095ab176ea0fb34027ce35931db52313e100c9a1d5

C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp

MD5 aaa4a5b067b9fcd144bce9289be379c3
SHA1 e88ac6a9de91038966066cac7c0aeac242154ccf
SHA256 c042ace56344d1d3ace25ab1ddcb1c6f2c59044978f5a0128ea14d60e77a66fd
SHA512 dbb6741eea1af77617029217f39bf4e8d134e915f3a5f71e4a5db22d336c365223ffac84a42e46aba40de6e12d530d01ed66bcc8c4746a9bd01f83aa320a9597