Malware Analysis Report

2025-01-06 13:03

Sample ID 240617-j6s7pssblc
Target 68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe
SHA256 b9a07967aee7cc1a05381349b949fee040c7dd2307f06a64c0fb16dd39cbd3a7
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b9a07967aee7cc1a05381349b949fee040c7dd2307f06a64c0fb16dd39cbd3a7

Threat Level: Likely malicious

The file 68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5490) files with added filename extension

Renames multiple (5198) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 08:17

Reported

2024-06-17 08:19

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe"

Signatures

Renames multiple (5198) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\master_preferences.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe

"_ChocolateyInstall.ps1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 dac20187d8fddab7a342cf5042502ce2
SHA1 57b6e91494c739b24e4d923afdcaf66e70ff309c
SHA256 7191e0ca0ff69e17675743798a50df7c864cb58969c9f802bb1eba5ad8500aa4
SHA512 1b70d8f441f47c70cf352a50983626b9635ce78ba6771068dacc713fa62a7146ad44d694bb25b4c439454192407d2ef0e571f9e5156f3a37a8d4b60281f0154a

C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe

MD5 26aa53d98f03332e92dd9e0260cc0172
SHA1 c0c388fa54b023050bc1f8514dbac17a5e565d86
SHA256 15498702b52856700a6f61a1a4752f33a5e94a40e25184492a2e0110f84fb826
SHA512 ea8f80fad10f7e9561c32413abf8e9a6d7d4cb899efedf896552a3c5d758580cff3071b1eeb230f51e97219e8edf1387f41b9c523d853b712c2f134b041eede4

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe.tmp

MD5 239b7da2e65522a9e86b120c6c3477eb
SHA1 425b0e15f87ea7a963301e2e947cf17495dd08f3
SHA256 11b60eec7df0fedf98a6b2a718a0ba7b21725adc9930db729bfc102488b20860
SHA512 850f5f59daf574c7859c5169b051eb512917ce915c7d089d7939667a0d6d09a4577fbe0861badc1516d0b5c4b002182138b925f5ebc699b1829ac48c0f1e2e82

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

MD5 0a832d423c81c26bd8c90af445da736c
SHA1 3e10d253c458722798899a85a8934f99079c513f
SHA256 06496b0f5bba288e3741e7e22b6cc7d1b434ca7d36981537180c43ecbd6374ba
SHA512 71e2eed7f5e9c1f5b275202a19da504f59e451ad49fd8d6eb1d8764fc4a75f4be0a7af4f04484b22ac138c25b54f0ffba2cc3ebec3f1f89a6367784f8babdc67

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 14ace474fb10e40374be18b65838fa62
SHA1 2bc1e6061e8c2379806b196446ce7bbec0a11a05
SHA256 ea345a4ca8d2e55f8586366b73ddf385d67f156b2c1860c4412751d14ed4d8a9
SHA512 8f3695ba1d8d03372e07e591af4b33ad9f1b07a7baf8eb33c6a965dd7e6efaa3e7d31c00607a024b3f92e6f58f7e5afa99f403d93a4b4edbc44b2aef15e8389b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b9f4f5de5b9917fe1f95e7c076f7f76c
SHA1 021d6871453f2ff84f2dfb64a93a6f51fa8fffd2
SHA256 fffa375b8f5ba79854b0cf766923e64bc5f37646044b38d222598c3422c9a3b6
SHA512 2fa47b183cd54c44728a59b1e4a67d5217087049bd71d38ae86d32a11a5d97abc2ea559a732b2f05a0a8b3f65a2d268d4fe9312b10707b934d8ab34b2793212a

C:\Program Files\7-Zip\7z.dll.tmp

MD5 4c9679bc72fe66d28aae47332b5feb0d
SHA1 5efda92deb8872af432304f3cba4efab93a2d486
SHA256 5ded420b398cce5fec6a84afcda2fa417a4be3cd67493e7ca11b1bc0ce48ed59
SHA512 d9491c8de5392aa5deafc3469e16d4f845875e21dd232382aea9ea7e57311a52d0337e0df04515f00928276115e8467c1b3d84b9fc4d08c350c049e02d549798

C:\Program Files\7-Zip\7z.exe.tmp

MD5 69f4e5d6c740a5413cf634fb38990e6b
SHA1 abb3892b68813cfd138aadc0d851c618c8a3f29d
SHA256 ffdca45f84918cbb7038975a10164b11793933dba4b61137c9acf5f5fa8abb0e
SHA512 ca73c6706ccb83b34efe4206c2b7d7c0bfd2d02ca8b68c10ba33fc4a7e99a70edf54c00d68221469a576119966ccd0aff393377a2c56ca7b16724dfb2c587887

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 c98b3cf324eb361d746097637ef590e1
SHA1 5ca5faee54fc2bc6a22f33f245c3812be44db38b
SHA256 0a1b49b0989746fbdc337d0eba37390993f31f850d4c567cfecc4452f8359f1b
SHA512 cdb13cd4f2fbfef642bb63d9461bbed025531c94bfde9ca65c4d3c9cc1ec818b550a418e74712d2e91ae63cd679bcebf91ae93a1c4888e2a657091bae869c98a

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 b0819916111e429dfc0e049b790de694
SHA1 ad33e60bc586dcb4f6ed983ff9385ba64a7fae5c
SHA256 8ef066a73858c1bf0be450c145a6ae5333e5bd89a8ba22e88af005e8547c7495
SHA512 5159f41cf4acb50425b815404279f7ce92d38d8c48ce099d1ee6bec79474dedab98030970f333ad9198666102207de0cf5cbf8c42b295669e7a8f7087c6c7de7

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 648f4c5e3f67dde739b1a4da1017b5af
SHA1 174c1105c6fcd9b7c70ccbe73e0de07a1733e967
SHA256 6b3d791e80ca501bdebe685d808463024bcde759c8d0869d3d38f4d27e36c1d7
SHA512 65b7a0ed34e936316d50ad1b725fcff7533eac2454b3b0ec3e56ba488aea02781d4495adda92731e54964ff03f7acdb5deb7e64e264de4d014de373173dad907

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 fc06b3127e7c74455901f159c5eca571
SHA1 49c5fbd2e3e1a75e87e8bcd938a9667765a01dc2
SHA256 73542604d3125714dae9388b72af07fb1749c5ba802c60e7b9a7de07977477d2
SHA512 16c9805474fed8ab73de36270122fdf2a01da064f2254544542d7d1a6e9d324c11cfa1e06bbe4740fdf49e3c2afef15039744d98a7654755f503df9fa35673a4

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 5aaf7c76b382a8cef09e9ffe9ade1a0d
SHA1 381e67632b0376a078475ba4c04a843a77e84e2b
SHA256 38671cadf7637bc756a587f9bc535560fc9d247bb0afe9b064c3994ab249cb0b
SHA512 fffd1ce20fceb5d08a2d11c5b7f8f96178f6a3ee599c27beccd9a746904e53896d774d57781013d9c00590728776ae29b38a770db12b56a3e8a1a1fb3ee04461

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 a61e9ef5e5a7e1ee8e125bd2f68d1609
SHA1 3fd420ae769bda0822f5bf0a6314a572cd75e715
SHA256 61b380f3eb7f82cd2eff5f947df476462e8752d2580b359e23599854de13b95b
SHA512 6e643a95a57c9c075acb2341d0d957c51b657bcc014e57b9d59ceaad0ced8b4d1a4745598824c7bbed0f77518827ccf28193d82e8e95c022d6d0080726717d04

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 562704b2a69c6ffdbcdf1f196b4e5d9c
SHA1 69612ef0d89a430da6e2c9917f330f6eaabaed83
SHA256 6c601ad64119fccfc85ba4491874a78c8675bb0a6644a6a81184900a8210e3fe
SHA512 18494ae059fa1aca447f9e022e42defb42068a33b4bd1faa7495346347f7eeb43833aa4ed0042815c302447d25ddba2300dca8b07248aa33b9e814eb7d033624

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 f8b654c7d51818db4b6a2ff3789ccfec
SHA1 a594412f58d68dc8114a8712d393ffcd1d0b94a0
SHA256 34ac11f21c2e3bd9bb635b69484c8d68f31db402194ecb40c8e45f35ba4d0b93
SHA512 10507183e5b813dc80d0bb7d141cd87b9d8d9de4c57a636c6b628b0b155fe7adab065faacde4ab3b6fe37dc2bc181112911c9d9b3fc86b6149d77039a035ef4a

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 ec3426e636109fe7a8a7de51d6d56eaa
SHA1 b5abfec494f5ffeef7bfaecd566ee439ad0e2606
SHA256 3749c63b3f98a9cff66c04730d428416ef296d78be787a72d7597870a7cb4d3c
SHA512 daf2d7002678fc1daf1f8ce1efeae4eef1eed3fdd34228966f4b374b8f1acde8eb03317ee6f97be7d5506a0054d19ed49fc36ab5452279c198147f85dde5c534

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 84db74445b368c035e989aaf5835e577
SHA1 087ae2863187029f65f26b607b8798a7cc504bca
SHA256 ab5243a47a5508ea7043284a86a9a4fcfb6b478a544cfdfcdfd819fa4545f82a
SHA512 245eda1e553b5ccd099ea547a3989ef012f80bb5435dfd470591516714bd1e43884786dd77b8836e143bd560ae3ca3a1953072094c09404b458b8c67af7f04a6

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 0fa9cbe81b1d04c8f46044a7f6a4ae84
SHA1 890cf5a914400552a56181031bd68d79f7a8ab65
SHA256 26452f8240d9dabd884f12b19ea3a9accfcbd0c75fac7453e49fe9f20beb80a4
SHA512 0f091a2e3fd6f96c3b16497b8434fb51b4f6a9ab25711e4007833868656efc57c008e737cb768d5eb7b3039b3570da3bfc8d0fa19260c245e6069e103d183c92

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 697b9a11c7beada6852aa005fda97313
SHA1 7aafd67bda310d784ee94ae5b103f6780ffac2e4
SHA256 e8abf96b9c9539d47429c110b39af5eee7dec99d059806f7059132bde9d97164
SHA512 21b16cb091c4ccf28cabec6a1c950e3b61846ae445f377e888e5af962cf61577c45ef68c2da02635cbaf57e50d81067b819c64fb8398485d22c4ddc1e1918c67

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 e795d7ad7a11fc9dd0f1571a4b94cab1
SHA1 c2522bed35bf946d52bd7468c71e97513d287b28
SHA256 681dcb197ee0795676dc312e1f89ce04787f9d213aff0ae473d15aad8cba3f96
SHA512 ad36c680c76a61003f8eeca2ed25dfae24944005efc3517ec8d220896e12d5ebadb9c150803e96bdee26e1d8cbd4adafc739be615f6ca85a20b881039885aacb

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 96897812e938e2192477d4d6517d9226
SHA1 eacd20f2a25e4dcde47bb5e7bf59a33bbb024a76
SHA256 2ed659d6f50a1619ee0a4631ecea468ccf030a484be04ca96c6cc23c03103b85
SHA512 23839723452018942bff9e99159010e7e9194963099046971b337301fb917c8c9ca3b6cb7b75bd79416c8caf441867311768154bdfa04242e1384e07b8d4f313

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 e559bba1edcf854948658d4604718e6a
SHA1 d050e513f9ac3d2e2414d2cfd0c27d43c8fb3351
SHA256 5c40b83e335b5663cb13c01b328f32450f19a82a34eb219b9742d4f0ebf60566
SHA512 4b474796fd61ffed098126b2bf226ae57fe392994d3651dd7cbaecae0169fd5e739ca28df9270863585f35ad632e7cdc3d250e3181d2cbfa3252a96db16b8fd0

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 a66dc3de510f8b8b3e76e93ba25b8ef8
SHA1 43c5b489dafd1ef72b06a8aaeb1f55d0cc668734
SHA256 b3b76932ba3c57180e16cc40087bd4f94301232ca0f9084a8d065fa97d8524e4
SHA512 00e4a920a0f6382f900d1bb91abbbffff251e55b219905adad3926c19e963751db0cb0f1161f930bf7860f59f4cfa3f4cf87b15bc8ab7e369350453d2bc9005c

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 381686e5faee45728fbe788780677542
SHA1 e9325501fe88379971579f207188e36b8459d054
SHA256 f0e63ded462a5a8a0e8b8825602ff002c0bbb6d35632b12bed9c5e2e6b82dfcb
SHA512 468f7c2ce0f7c2d64e648cc62101b1362c191db6c0905a2667a18bce248d48b5e68823b1e1e0a90eaa73ed2da30fd302089118d4fc0796da7ece410614e93c89

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 3a6660908ec5105c6cb0a5db7b843a36
SHA1 e6ad15f9c34f7330a8c5feabcc736cd258d49c2b
SHA256 8590e62db342baf72f1af1a5a518ac6f89a7bab301e3d6af67b4597927d49aeb
SHA512 70d6686455245c6eab274411d138ff1e29205f7e11e4c8e26cfa485d3764bf68b9aeeae0b8059dcbc89863365b1cb4d645aa7a8ed8ffe181f3e369cef347018c

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 61bd7d04de3c1cc3efdd63bc94d1bc7b
SHA1 21e190db6a1989a5aacc9a81f76e54819f36eb3c
SHA256 7088a6bbc361132826fe88e0ffb7a1bc0abb337b26f3aae2bf3f13fac47efe46
SHA512 1f4e042e88f464f91683b36bf8e8680156192a0602c235e46428fb17374f31952982b1872ff8921bcf40cb69f3b893068d9d0e4b85bc059b56a9f4c751050741

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 e3577944c174b8205d3bbf6ad6f3befa
SHA1 053f4ec93731dfb9484ba74a93f4af37cfddcf66
SHA256 d7038b8558fd5f0f5c11c20b4fbd806d6109a9db02eafff119d8c21122cf7bfa
SHA512 0127f254556dfaab6c0de84ceed2533a2096ff938e0101dac1547712e579c8673da59f9d45b82dae8a25fe3a9180f7936e81cf537a7fa48a012ca8775951f82b

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 5b7a3cd76ce32e54144493c75053f6cc
SHA1 40c5b2047c0e6fef1c71792862cefa38d86064b2
SHA256 c6e9ccbf0cd27a0778f3bc9ee234c54b167cdcd49c0660492f773c20a891bee3
SHA512 f28871bb6125c6d6a46fa0f0779cdf7b6d57295ee6ca7093af7c0849d8d42ee75974c3dfe826f731dd290303124cdd46d6f8b7b98ef2bca5355ff441bed91416

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 1a9e5201147be1dc6a5e6295c5d28e1c
SHA1 c1e756587ceadb64cf80522f2e85ddb0c96b09a7
SHA256 7a8be4bfecf2a554201844227d2dac7cb7e35194b1c6df729d7d1487f3e33363
SHA512 8d270e5432ddd619abe5d8bb0c5eeb26495945bc5e713e03b10f2afe1440c012c612a07e148b8be0cee1132d41a96456b0fce84cf0ccff9c128ffab52ef90b59

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 c6abc374036c985ec30815e8ef98b8d7
SHA1 7c6e0e624a95cc9f8b7bb7d38ff11f375de16038
SHA256 a01bc71e9d7683c96d968cfa860a9eb3f75bca3bc314b2172b4a38e6c75d5490
SHA512 8f049962e503d415f4032afee17e6bee5b0980b038727530f8d4816c323ded36043be257661dcd56f1968f2957e27f5bcc909f58ec12ec8a60cb37439cec0679

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 9c03088504a30c3c36f36b5d6d38d09c
SHA1 94526f341a6d012298f5ba96de439fea05c2eac2
SHA256 4c7927a651d4a926e732076dcf4af6a7f500f970524b45028da25845f0a83d26
SHA512 eb25d33312ec8d60184079d7a5872646f444d86dbf329cd38d13d0a19314e5bf62c9278b014812a64af19b98960969d0119a50b3dc239646b1a275854cac830f

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 614c5123ddae2142501249f67b3a85f9
SHA1 08d1bdb0555edf48cd0629237219ca274afeae7b
SHA256 a3d5e8986ca67032843ab020bdf6172f02707c49546c75ffbe0cece979fadae5
SHA512 4807ee63569d0bae07c29eda9785cea6b6059042d7b9dd8f6aaea00b6b88fe27f0c46abcd50acc1f74420e3b5a6d2358b6ce1d19cc8901aa602bc3c22235dcee

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 1590e33a2b8875fbfe3b509c54bef4bf
SHA1 14d58538f819321063c87d8cd856cd457a3abdbd
SHA256 578a8f6ea46b237b31dc5ed12543397555bd20b64cc2eb1407ba548afe07228b
SHA512 2bc45b0820fdf8cce6f73e234bdfb6b7e0bf609325e1c04603ae2f70c8b137ee2fb43a29a3b70c00202adcbb55458c8fe5b21e08c4bb8e879201c9bd1e7aa2b7

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 c428e1b3eb2a65415d4154e6a8d27d04
SHA1 f8334ecb098245ef0f62c43f03db306fca544d1f
SHA256 a0ba48a8d1f0e903ec0d3058dddb09627e27610514276f566a6e85d478060a85
SHA512 901ad67f3df4f8029181521fd024a93b1caf8a97d9996c9a6ca739c61ea7a7e54162bffc8378d14347f3f56212af72b73dddf7891c418020d3f90e4355f9decd

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 36c2fa620b276c31d3eb8efbdc6027aa
SHA1 2c931b8b6e03a5ad8cb0e6318449f497416d7a31
SHA256 5a7fab40bdde71d06e27789fcdeb95cda305dfef1a959414999ff77c4fe88397
SHA512 e999bdf2920bba05da3fc5314671dbc83a9e53876068a07bd217b84a58a67efb484b7b85c2b6e6e1610013231d4ee19b0d1c369d6db14539e2d16c21e5c817e4

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 912af0ddf90d69fdb4094407ce2cd490
SHA1 d8830dcb398447b24ff1da34d45a925649a865ec
SHA256 021ce087c128f0e64ca86074c81f6542eafb86330c80e45ce31abc1162e110c2
SHA512 370e9eb9239b3ff75df09f2cb4a36e7bee2e06350f452e085bee4bed30db55de40b918b06486bd5714cefc0295a450070e5a97af55863e887e16785e84a00fd0

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 267eb9d7134d723d7bc4b559787ce484
SHA1 53e01e1aa85417d7affd5fe687f20c738cdaf287
SHA256 2bfed591ddb693d484875c8bab6f7e53f29ba42a5777cf06de3ec9615333613a
SHA512 a5ea95b37be6482b1b0ec2046b6c81ced461921f6be4bb5769c040dcee4e0a8e6eeb711c2fd5f9e9a5094e6680a990d8c47a908452cc5f29e03df0ad5a9e0f68

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 727d01f40c35f72efaa031a358f84276
SHA1 be06c46b825889cd063a49e5d0db773e3a6ed581
SHA256 8b4c53e91f4209a1e4d4295df42d5008c38e0e9e8e24bff85456c8fc318cd7cb
SHA512 7f6149769ff449eeb8ec70ac4cfc95fc8d185407e55e10969ea2fa173268088223ad6316518a3c7106ccb967e92ddb68cd3937fb137241ce63d643c60be47190

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 88a0b93211620021f960fc1681246394
SHA1 d483efcb4e41d8bcde7195d96c5b0a994e075b58
SHA256 ad0f39eca5473c2726bb6070700f1ca9cc3c6ff34ef82a20fc451d10104c52d7
SHA512 4ba9739214c92c045342cd1930936bba3d535761e1c7ec5f3540858617a6efd24463b793d79d12517eb3da2e5a9b1bca082e604740141e5e4f2e647f65f57a76

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 67b1702c681abdd0cf43d7c5865c8380
SHA1 41c996919632174c813145582a93b6e0e4fe4571
SHA256 56e84fb8c6cecb4981890e45b88e7f6590edad4913654f15aef121fbb1b44adb
SHA512 e3f75ce978c3f00fca453efbd563cb9e2a7354eab3157a91cb1c40917588880e99c2485705224d84e0ee4d4258e7f4467ef7044e0a0884d19d135c039c9fc204

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 316cebb9e4befb363bde7e2e49501406
SHA1 b7bd160722c5eff0ced7ab50826534387414965a
SHA256 ac62409909b457d351d35019dd81c6338b200238f153c377dfb9296d0de40815
SHA512 949f714f9148db03984e865709029610a31d7a2f9f926b1978793bb9e4103a9386b6011321e81e7bde2ee3b7c2fb0f3ed923f6c0f3b224f8b81a0e6446d4fbc7

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 02e6d3f40328ffca51f684554c01adaa
SHA1 c4eccc07d3f2f6fa6ff64fbb677cfad722cf606e
SHA256 13b5e6f6d2d3a32f6f3a88273e40e265dae73720bbf1b5ce2bf10f1fe3a208e9
SHA512 b12b3a1a185d43b7617c8e6d1aa1dd03dbfbaba9a854bfd042963c54582476ed89d884b47f17fc7330f7a4920f19fcd15e47e800e6b3f6b9bb397c2fe7deb6e9

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 7cb56278f69a689cc436ae548e9b9057
SHA1 0db768879f88a3c77b418495a90bd3330b1fe69f
SHA256 033aafbc371d7f0e49b8df575dc908ea6d072e3a44a466e09c8ea798d144c301
SHA512 f5e6501e2833646f179a627ecf65cd62bfa042f9b420a9416047a36b95c7b37c1e4650e562bd89541196855d4e4d3573c8923c6891dff0562b0c4e8971a0c4a1

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 1579ac3736cc3e5efce77a5eaf52dd55
SHA1 463dfb8060c031925060c0ee8c2d9dc0944f9029
SHA256 d4e7665f95d428442828d81ff9cecba2357009b116cd1e096ce65666bc3fa7fa
SHA512 bad46eec27a0d7a97a8d61fbfc37fa2485760a8189157f2bf0500d78c7fc3189e804fef1c90013436ba37dbf5918ba7c34a9c877179edd37640c7b4c52d8ada4

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 d9a31677d110bc1df4739a45e8fe4bee
SHA1 0482d3d3d5841b7801d7800efb6aa0b0bc63cef3
SHA256 d7d03146b569257e976332490ea6cb2e950f91eb5633ce03556e5306b860bebd
SHA512 5dff7985ecfa6fc24a75bbf9babced357b1cffc1fe0af94c4ead8633634b9552b60e983a9ffdaec13c76473c95f65d280ccc16d61903ff29fa1f653c21026de6

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 ec974731bb4019d24d5c905cc300991c
SHA1 75032765f60aa730a7a61ee6a377b80720680ea8
SHA256 8bab83f0a325203e74a1ab5b3f2f416a6d9ac5c2c53dd0e18ed9bb9a73b79ea3
SHA512 048deb3d11d727f4b2dbbaa1223b21442ed5dd017657505fedaf05aeb4105cd55a491fbe4fdd1811ef8db1d3a9b15091f38411885653e4d2e65a75f8ae274082

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 0c810ad6ce748a4efc271b6b53f86385
SHA1 ce70147afb83d08f34d55af37d3ad8b4c6c38baf
SHA256 1e7233644f616f6159f9b17c137bb9e4c64fedb12f62b8f477db3445a697a495
SHA512 17cb18ced757ca380c2add12fcf651b9496e8f48fc4e2bb2b5a756e00cf2a4eb4bbd2d358e9428a712b42259560f8bb58c6f2d0404675fa85e6a4a375462428b

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 777f3fd1e3284a1791e0a1c4b61487f1
SHA1 cde69f76517ec631de8af8208ef98067f8a10183
SHA256 e83c6a12faf9ee1c0a363a839a219885cc7f8847fe55e4b2263f74f75d8981d4
SHA512 95a6b8160de0b2ee577aadfab05d42adec31e5732072dbeaaa5862c4ac7fa4b67e678078e4635094909fc7be8a1c9e5e85b45b64c68b0b9db8f1e0496f55dbf2

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 0c4f69b79f2635d5e713024b974b4e56
SHA1 580d07ed6016609c84e9e1d4d33f4e26d1973ea5
SHA256 d7a6178cbaf3caf08af030ff434eeef5d32bad6c2677be9c947ca8222999779e
SHA512 e95049341ae3916c4737ecbf8093056047babb75919ac3e0bfa3e56665c40fc06f1fc5ae3d062114b30c4d71c4b71c14e7922370178ee9dbd7dde735ce0fb646

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 f25b57f422179d36e261a1755c42fff8
SHA1 c60877c9d11de9ab47c1884539dc01b8f2e793f6
SHA256 a99c7fddac92d82c1c36548606d3158cb22b894fbd7c4ae7e66e4475ac8bfebb
SHA512 6324bcee4baba9e94066e38e486137e90bd8e5e7f221e1d5f248e172c3236885161a4058ab3bfbc860a34db1469dc36a2f30c297c7a2231bc440ddca3e81303b

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 f44801c22877d4524ff89609abb584ea
SHA1 9b8267b9430e2a6ffcc6502f42b05c0ed22ddf90
SHA256 355ca92f47f5c79cb852f5f6ab82f9247ab4779c355aa8ec8ab750299de32c85
SHA512 5d5339bf689effd8f31e05d110df63c9adde267865dc3a3293fcb91f73bab2fb305e1f752f1688ade10e066f3365e4cd8c6836887ffd1c17f36583fd4a31ea3c

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 f0a32a77f643c564d97b025c1657a72f
SHA1 496947b4b085cc1f5ad6c9e3e0147c7c2dfac557
SHA256 4644442bf305eaa4eebd20cbac3c8787796bacd46fc006b0c389858064870448
SHA512 ae2c3fef28fb6f75d61d33d1e194a068ab29bcd7af4b0d76403a166f5800e39611816b845957b875451c87e7afc69d6ad7a740b9bb7de600fb596a88a53e9b14

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 965536555c5e652fb35fff64ad75cb96
SHA1 e0408d015bf89d867d5e41ba1c14b7d37670087d
SHA256 1dc5dbe59d380657543d55fb6a6f66a6660c178e50a520a9418e29bcfc739ebe
SHA512 4e274cf9eee8d1059941d58abd573c535af3f7dd799d1659f89a82645720d2d6627900d91643c99f407fa057ff96524426d3dc5e2229d9d1a87b27bb825ff5c4

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 c3d1ca2b67075d3aa8721afde447e45a
SHA1 ab6f5c74c330cdd2cfc854e70036abccf6ac19bb
SHA256 5073b107837759a65bcf353903c25a8b0f835095dc5c3d645f61be058bbb8a0e
SHA512 7e80707081c6329639de51fdaa336cb26e241ba000044170bff308c84a3baeb717000e20489cb9627c693ca453d73e35f845840812e457f0ae9182528bdde1a6

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 4e47c0df6ba8ef574c80a1467bb4fd67
SHA1 b44f0cb410679c103ebbe05eb399a0a7214ddc36
SHA256 2ea3dae578e8d2e44fcacab2a36fc0e912feae98b6bd52842ab34a0648cd92b3
SHA512 c9275803e1de10e8f23d655bbef8b6859696784c7faf505c3d70b128083ca06dc37c07524187eef4606720d54bcaa3fbef6842dd98b2e49b8068f3dd56dfc100

C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp

MD5 08b1bdd6227b6cf0c26005bbf30bc538
SHA1 2eff7a3967c6a7f4ab71891df570750f59c075b9
SHA256 dc5abdb6bc021eb84681ce36553b0a21f1672ba2d464107501421257067f1058
SHA512 47b0555a1c22b8d951d50a1a7b4374def21fd0bd131d3b447b33bce72b418f7208cefaed3b7c34c2ec1e9c14774ba32c505384979129cf40c9d692c90bb8a768

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 08:17

Reported

2024-06-17 08:19

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe"

Signatures

Renames multiple (5490) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\JNTFiltr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\ConvertToReceive.pcx.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\WinMail.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Lima.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
PID 2808 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2808 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2808 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2808 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\68c31b0705dbf8c594e6a62e3357e260_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe

"_ChocolateyInstall.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe

MD5 26aa53d98f03332e92dd9e0260cc0172
SHA1 c0c388fa54b023050bc1f8514dbac17a5e565d86
SHA256 15498702b52856700a6f61a1a4752f33a5e94a40e25184492a2e0110f84fb826
SHA512 ea8f80fad10f7e9561c32413abf8e9a6d7d4cb899efedf896552a3c5d758580cff3071b1eeb230f51e97219e8edf1387f41b9c523d853b712c2f134b041eede4

C:\Windows\SysWOW64\Zombie.exe

MD5 dac20187d8fddab7a342cf5042502ce2
SHA1 57b6e91494c739b24e4d923afdcaf66e70ff309c
SHA256 7191e0ca0ff69e17675743798a50df7c864cb58969c9f802bb1eba5ad8500aa4
SHA512 1b70d8f441f47c70cf352a50983626b9635ce78ba6771068dacc713fa62a7146ad44d694bb25b4c439454192407d2ef0e571f9e5156f3a37a8d4b60281f0154a

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.tmp

MD5 f89c0458166bc8a3a582711aa207cf9b
SHA1 0067f182f22ca824cb1a39257c37c90052df58c5
SHA256 746286ffc43a1dde9a062eabb7432f525927276eb5d31e2d1ce2350ff9dd9228
SHA512 95b068d75f07c846ce78d8a0c97758f4efa2baea46d972f8e5c1bcad580b0507666732f8fae0a3431cf1a2e3c822a204a26cf98071d916a65106a3761eb95a31

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 0869bdb131495348f81ad399c8d5325c
SHA1 4314fbc188ccc14d283b6038a1b77433d2689133
SHA256 5c25fcc64de67293445bd07ac185f4e9019fc1afd1808fbb56b0eaf4ab850b6c
SHA512 8976cffde42b835c009cc6233202932fe53549bad05b5cbaacc2f7cf112f8c1d3ff60e7ffaabadf354315e90404ca95cdbc8da4d1084118f7072dad61bd47d20

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 3bbcee30a342753c069bf7161ae8da18
SHA1 38de7cbc84999a54e7d1e299a30b17056039ab17
SHA256 a05f6ec9749ca353d89b7282cd12cbbfb40a31a9db14a35afa1c4fb2d9a2f712
SHA512 fc2d46e66ac8b48ab83419b82d5e798e75ee0e83c1ea927e4942a433c78ef8f6103337698b60a43440f693161e38794e603689763b4a98469f0ddf10a6b87956

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 a534591758ef9ac57e8c5aa724ec3875
SHA1 c50684eee0dbcddc76dc29d4bc22c844b5c2f230
SHA256 0c85da1c913a1c8c6a30dda0e723761397f577434bb2565ade72f27decd4cdee
SHA512 2ea46260fdd2d0345d745f9028f19082c331ec140f37a6ba3cfd85c9e91247992f9a33d306e0a7fd0200f2dbff2a70cbd3f9642d243bf968a1fe5e1d0e8967c5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 cebfd00ae84f7574c95d93a709eea118
SHA1 aa4a7481c1971665dc95e417bae0e153bbebf0e9
SHA256 4dfb12ce93f973b9f7360a40605c23b038e950780e6521c75ea557cebb36d762
SHA512 63279c7c8c0a185d6b3ab98e823cd3dced292467d0943ed8fbb29aba435f682281d68e27f888d350bef91e19b5ee994e5705b4e6f2a7f5f85a9422287d366858

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 94dfd5cfdac9daf31e018613925d4b82
SHA1 2884a623904377bf81d460ce2c5a1f74e27b35d3
SHA256 de2f87f43238508eb010fd341b3dd924000bc4a1b52be03923578bb865cda1e6
SHA512 6ad7579442126df1143be0acf2ee9096c890f37bcf54424199878e6f5c30e19eac2e490c7bc0284c0cd3752fd7714218ab49db46973b757861286f58c9095587

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 d4684500f0a12d18788c123b6977f675
SHA1 e22a46b60125a356965dbb9e93a431c80890fc5a
SHA256 aa825141ecde1d79b24bbf558f053d8eb18ffcc38b6e5941536ba56363a13b25
SHA512 8a4e6d8bb62060fc682a1fc0b64f9805cf53351f0141b3ff5f7a6766f6441f50bd70c69a8fe47017750f91a7a4aaddf86c20df7de1cb3ebb5eb603394a87ab94

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 f4e35cbcfee84eb97f56dd129c923437
SHA1 5826f842ce0d0320832d3d59b44718891c483126
SHA256 f824d6a2f5dc1462783c3a25abe50759ca4a7f66494c797b1e4ec17bb6154ee8
SHA512 1adffcc73b998dd03cd591e80029c4c3ff64c63e3d884f7c929994f7c6d947e8ac8afc53c9d7126058e026bd628420d61e38d83a98197408d707358f7061b25b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 321ab02403b83c1c17a8c9978d82cf73
SHA1 f27c445f3581ba9a040c92cb4beb3dc10fd70744
SHA256 2d335c7cb7cd5fcbb1ab27ffa1fe1fb47de550079a12b85f4e8d557f472ca969
SHA512 aa7e8c067a847649a3e0a5cfafbd8f5449402f4911cdd9ccc89ef12f1d129bf0ef5b961fdac30b4d4f8c6923fc3cbfaf1c1ba822798c402dad4c171764dc9901

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 9e8e7dab5f0439a03220c6e322801946
SHA1 07bc6d792a780bbf930f7a0fcd2abc4015834a33
SHA256 97fc021d85821c5e17b28bbca6f581bf7bb4578c36cd33803436ebfb0047f33e
SHA512 512380143f69694349000a9a00ce68e8b841d1fb1f93c92d158acd9c596cb4394c6b8634985b2b4cb9e055e3b9e15bde7b4a8b4638ded3dda30f33ca6454b790

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 5e643ee5d8cf0d942db7a4c469d2743e
SHA1 d6d4e08710c5dcfc971d302edbd97905da42fd22
SHA256 e5c42c646ac1ddb6eec59c3f12964d287e528babb04c65b7a829712f50b830ea
SHA512 1b87111f0f4b7091c7c84ccb55b648dfd532cc12057033bfa4f863bf36e62d336429ee76d664e9de07a80815691c3fb330c93c9b408b583c7a90a422c7401b70

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 7244254c3c1fb8ee3adacab3ae64140c
SHA1 a459b760c5077a097224af1fb4c06d40217b7557
SHA256 47c698af9b4db4feb51bee88e6701d012ca2cbfc87eb43e0dba7750546dbd4d4
SHA512 71f56804f120e67fa6fccb71683a68e5b061f33d5bf75f50866f801b8d54104fa0799b37d770b4ff088e11af274c0067f8da24b3c960f26c89731d1cf7c474e2

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 193b0b305c30c39bc2a14e9b42d2f1c9
SHA1 3a5075e25412c0d39b9f5042de485bdad4ad7a0d
SHA256 e53ca00aaf615d43c388309a04cdc82c0f759f22de53b10dad091cc20a93f9bc
SHA512 5c8aabb1403c0c0c549d7b7747851a1a48ad9835346544650f64a8c86126bc2baba6f1f5b57b6bdadc8f40e1f6707361f6f832a663edecf825ee2787f5bc356f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 155e6b29550a19c763245bb8915f83b1
SHA1 3812bc1d7d616b2809ad2f5655ff14e2cb9985b3
SHA256 f42b535d975e10b4dc738f52fdb5419d01932baabf9d9ea40b47b3f8674f952e
SHA512 2d2385b7c0fb07396aa32187d6ca2448b9f083ab8347747f616c4e1e8f8647149d8510cd5f1629e1cfff473ef729de34fce51193ba2004517c7e6eb435889c39

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 772e35f446e1b7934bca0340d11e7d15
SHA1 317a6f4f3dcd0e3850eb318f7b979217d223ebd1
SHA256 cf941a32ab5f49d310f72706ea6766e27d9e7e81e3b747365898c7d4738171a8
SHA512 c1a3e09181a2242fb96b7f17e6a24ee357bee52aea06115daee123037b45f0c616808ad84a1cab6c214d31c78cdd700d81b0947c4a8e9fd2373a7a64115f8d4f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 8006e514fd3b9bf73b3d9f925a0f52c8
SHA1 34fac84754f2c6bb3c62f1212ca5a2eea38f9de8
SHA256 9c16c88beda622256fa796e36b30a2cfca3dae649c62e7e3af189579e642dc2f
SHA512 90488beae96850c9395f88fac2394e9b68686858733624bacc99624a0c3155c3f42e545f5bcef01e764f76112498ab4392d99c07a516840087e446ca651e2b06

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 08c6dc4f2bc4173f7ed4ccbd757dbf71
SHA1 ea94a741b5c50cc2451107efc11924c8b9964a7d
SHA256 b4c7a07ebdbe41e9fc43fe5107f68813e71312710a52b9507d63b595f3701473
SHA512 617fe0925171be7173ea6334220232815336c60cb12a09f2d6b64365d9e5a8046a99b9358e280071c5ef5a3ef443668ca14c69c5215e39d8e5fae5bf13264bc1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 8c7ccb4e19c2716c243434bb5b71e253
SHA1 cbeb7b450e7825cd69abafba1a7591e19ddfb412
SHA256 d518a9b0f525866fb4bde840b86434a53e3afa488dc948d7435bb07710afbe78
SHA512 ad197bcaa7f064f487150f24767016e77278112983d78a341fd0bd7b6fcecb0246aca381fb52302fb03071be404559fed25a2c831f2968e6d6935ef6aa0dd143

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 7e850b43add84e61638f16812168814a
SHA1 8b4d19dcb8ec9a20a27757db7b5b53e7b7b6a5ac
SHA256 841a6c0c2cb712013e1147676d48ac3cb583902b01763fc1e85a6535cf858d36
SHA512 4741cc3d93f6d12ff02821193f153319f81a08359a7aa87ad7831fa8346f7dbf33632ef706b7ea27b8e01ece37fda07f2e9cc4160e526a3a8fc07a3517ef4780

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 ec1b9ec95f34ec182a5f01c7e74ae58e
SHA1 7ed728063f2b8f81d18b76eb3c53d25d552da615
SHA256 2e77a91dd3a5eddef96055d87e87ada63f3fdb5833304bf75de84197cc85dd7d
SHA512 2e0d4dce505546f611cfd190c89391c30a30a521ece5fd58919d6be684b7581ca37307bc7b32cc25629cbe963804738e0fdac1d1a0072132e42f9e8326ee0539

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 48099271d279322b8481f832539626d1
SHA1 341fcebc8ef019eb7594754f664c02b1237c8225
SHA256 6d2622bf1464af37efbdabd063e2b20c91ce09adc7edde0f4a580702d9183fc0
SHA512 d84336c98a0c05e09ae78092cb521030798ad05dd916d06809675ff0d9457f291a21ddb9197b82f28f7bf4996c69b51f308cd9b3ae1ac0a70fa06f11f1dcef19

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 d691042d391acc7226ab6b31ea960302
SHA1 1b28d16720a42062943317073a3018b23714244c
SHA256 854ff6d756e68bb88ba5847ad7fac373930bdcf32f48fb081baf49075d04edcd
SHA512 3f44a8d9c8dfbfaa1e93f7cd74966584bb73d2e5a63153582e4775e0413d6984c3d4060b3084df1784b47e03c91120c43210da058469e1fadafdb11356f704c0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 f50ab4a833da06b37fbf2840f3c875a5
SHA1 7f50472cd67f44e134f38e9a56b1deaa69eb56a1
SHA256 3bc49eef629c78ed7b3ff329f753c881708c5a002b7537dcfcea18a5339f9bf6
SHA512 ac21119400d5bd21acac235fbbde618114f76e2a00c8fa66daedae648034658093c9bb322c67583059b1fe44c86040cc3300d781d8f86cbc6a359c9aa29a3930

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 1696ee4c8ab681d3b8df5ab348c339dc
SHA1 a7883f6ba79656bb9d1b6819080e8f66a1f172bd
SHA256 7a3cb22aaed2adb1bdb01e6417807bad8cb38f347594e1eabd8e74974bc61d4e
SHA512 c123fb4589a06c7ff7b225ad30fbb232b4bc159b6f0df0ec0dcb20c167056cc5fbb87d68bfaa5299cc670aaee63fe12d3dbd8060934055ca1ccde8399af94332

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 aabeacf71ef164f12e701208f06a6455
SHA1 9a3603ad7d62be7fe7e6dee19eb726c8799f24d1
SHA256 1537d93ee065af5c5ebec558fc560a17829e151eaa4dd0811fda299b9336b064
SHA512 a57d3f92a8fef9a7b18adbacb44d4607fec91a69fe708460af7b24123bb317c6a35db99f7a06297f18904d386c2ac3b8f9461496e1467bbb04c5eb17130127a0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 08ec8ed5f9e1d09ca62e49e2ee133eee
SHA1 7da6b5b9f1c922f9ef092b85af98e2f4200b30b5
SHA256 9cb0c9794f9009d7ab87586e4a7831629047c043450075795da048087fa95e82
SHA512 3861a79ecbbe55be03ee447e45214df5981ff2b617fb85c6387767f9c2fac21ebbfa13dabd4afd3fffbd3b239f0066705d96c0f28bd3a3dbaad179ba3c28bae8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 83ca9e0e776898eb2a67a1a31ab63f08
SHA1 42e1e8e5497bd1038378809a33de10f237068ee5
SHA256 43f7ee1745df277a49931caf417dca240b45caeed3a06470b2d564fc44e4426c
SHA512 f99b50cf8487f2bc87ff5d04ac160e09d88172771aad13fcd562e4fe1aad04c8ef903d48b361bea31c4d73b054309d49f4f7c4e517ef4137850744acdc2e6ac7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 47600ad3ebf0509c0fa23a231b205712
SHA1 2e56a378af141593cf52aec094707150d1e49768
SHA256 0d4e5f45571459b925ae9c06f915c883647c35a8a11dd83ed113e28172f40134
SHA512 6c43221ab25b645882ab1cfd84bb244c48317f92a66244de63a9fe2505b68ba3b5cfa8c381c811d6a3cf4af6fe52014d44830e01de05884521f1fad30c6776cd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 f4dc58e269e9b664fb69982f5b4f7d5c
SHA1 19528db1ee86cfe919256d7ae8b5e8a996c37fe6
SHA256 5b6d00f3e067c8fec9f72004d1850bd961bfdb3637fdab5d344eaff5ee4d5569
SHA512 d0584ce7e17d9ca0d0962c58c5e461b95da4e8da13445408f36e39fe10b696bae5faa4d1540a7bc38d0af57b8d3913f66392c4634898341d4217508d3641bf7c

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 7acd59b29cc3797063f2aaa7dd6cd01e
SHA1 e2fd027508436c81c188b0721b3678d986c7cc99
SHA256 7c51829152ee6947be1e9b9c02bc892a250f3db34a9fd42558d1cf10bda41a22
SHA512 301f8434fec3a831a55a40e117b25ab541b60f548761dc1e13fdfc3eebdafedfa6dafad7ef53563265ed53bbd462409ab77a53865ad64c75c6a1ea257d8b4b94

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 4aa1f02a756c7ad98c61f135246e9f05
SHA1 77df16357d9727e09aef985c15188f1af6eebe86
SHA256 3b5f5de81e465dbc38e94644ade336d709e359156d8bbc2426e861537b6358e3
SHA512 d5e170c2564a0df79d0bc086f0627c4ffbb026a52f2af0a2b787a6080d89a4cd6d1328a9a149a65c7669725d327af3f4d3f8c8cae35baa87fc348df8bcd9563a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 e621d71d592ce6b0851fdbf625dd7cd1
SHA1 118db71381ee3ca2bc9ce0c57fcc5e29435f6c8b
SHA256 30bdcd47f291c9c34405889f7d0d5fef8b3c57d6c7995e0990c797a2c6f08692
SHA512 484024dc82642de2282aa681f7957ce64f879d5c35d32ff98241fe586a4d5a7596546ee0c054040e90f22ad8f0dc2ff19c3b2ca6fd866ced199c46a4c4113b2e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 88f07a8b70255c54e718180f9c141d5d
SHA1 a9213d3c631d45165c8c769b33602ef16afaa449
SHA256 cbe931acf18a3ecbefacc6681c3e71a1871d0a3ce39055f5d82d41a462aa7e88
SHA512 93cb775d05fb4abb27730bc2222582b69f446e2c00f5e5f109f226ef1799b6f5c63f85b3b1ca48ee9394f1b546b9e0e8b157b7b4b83d12c6a3056d2279a5ce52

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 425578a60265bc2d82a41e87ef83d893
SHA1 35399eb1be7384f86350bc34f945247eb87cb0da
SHA256 7cdd267fb23ea8c1af2447388e1d883b2e10e9a2b3344a64777f209128f3f49a
SHA512 7272e0b77dcfb3372684492417661796b63cd652cf87b812c2d23fee63d1ef0a3ecc6a189bb1ad1c0faad37f6170b294eef4556c4a5a6f652feaed1becde592c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0779525c835be52a9f138f6241792416
SHA1 6c5b83d1be6edd3f542a5025d813329b15d9667b
SHA256 0585e0dbef4dfd48615cd81fcb38b5f36d4d3e44f538a0347917bccf6a865e73
SHA512 ea94c382314c152456ba1dbf93e5e4cc2518d5daf69db503d5086c8a541cb8ba6805984069dd5ee598e7649a7f001d6611657d86b79f67df2b5325fb5e8a1fba

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 b6756ebeafee09cdd60791193b8a7692
SHA1 572f9625cd475bfcc0610e55e83b4eb2c1f98056
SHA256 3276c2af8c0a0d7feb3231a2c7bd3cd9c1252414b4df21b5c2114124500091e5
SHA512 e71e59d6e61d76cb3675e6366d3090f08890c4bf6a7e9c45daae2c6e69a1e2a8be54ddcb7a35e1bc3c18adba800e3f12c61b48fddffd6cea1c6cdc518a991aee

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8ecfcd7343efef7e825607b55a14e975
SHA1 c3a27ccd4f69328d237c9e536fb797270f93d931
SHA256 82384407a7ab250603d8fe23d19960633f795631678f4c34ce362452fb622114
SHA512 b0e3b307196b6f6122b6fdd320605848612384d77547be1bd0a0c10b49afcfd6e8d5f6b4ac4071271762433b842e825ddf8d147fee76cacacf3ff8707e2a32b2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 a8507b8d4b2f7328613050d822f1a0dc
SHA1 fc52c824f33f983dbd395ef305d18d96fe1ad936
SHA256 ea88e0adc3ef7afef7db10e914994ef6e81eee6841b714397e0b684b351105c5
SHA512 0f82b831710c6f2024a7b6e72508eda2d0c7f4bda590d1d0938cf04ec8c60a285accf9af36da804694dbdae463ea57c17560cbe10937b8189202061d8a1eea0e

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 03f464c4c9bfc22d87201e97670e6a9c
SHA1 7a980f822ed660a8034f3a7e43ef5de02cb6dcf8
SHA256 09df394d46893b95a13860fb710d84f16a8e83e288a4f248f7c9be05488fbb80
SHA512 7d2b72eb16c480b1615675fd2dd83351138505ac8945619c3233e91adc3d3f23da87037e900a4dc256450d046ded024c18098f0b67b9620afc3f1fc4762f60ce

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 30e2ac841839a00c70ccdf570674ef13
SHA1 3390e934094b8a54e2cf3518317887c201d69124
SHA256 d3c972f59372a2dcd61f2446965d73f1020fb11e92a5e9e49d96618826e43d0b
SHA512 ed5d5163b2bb68bacce1b7766a19bb16d6b35cae14f7e978dc789500c90e03c3fb8441b7931db0426aebf3f06e0403efd009f5c6ac5b5af3dbe70346f4a4a5eb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 6c12c980439ad35f78f48d41837492eb
SHA1 3d85418d557c0d680895c454e0c9e060ae052e34
SHA256 54a1a370b91f5bdcb3af0662bced11f82d356184eff7447d8b2d467561102dd8
SHA512 058e86f29801a9e6aead8ac3e313bc3c6c268cd7ea59df38051b0f7a65b45c665301fca1f8ce5b52b02fa6a82bf20e90b425dc121b940002ece782ecc32bf2f0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 54365da5bb04b3a5315e64a7321583e6
SHA1 9b4c9660bb5fbb6c02def4420c4cfc7ccfb803c1
SHA256 d97fa60ca73e1a751cc350b0d5fe680b3eae737d049fec8c6a7452ce7cc87362
SHA512 8ecca2677899762e0fbd4ac67a53cd9d22382bd05f5fabc6ab0ac93688a99cce666a2b7f67471a406d4b6a443bcf4dfca0eba2d926c18071acd5ae027fd4a649

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 047d134be8ed0399d55e993f21c6e118
SHA1 25a4b1899951beb02c41993ad567967221489a5a
SHA256 86bcd80f44103879adc5c825d05e2540c89754296676b598c77bf8c289fec0b8
SHA512 027e352046cffa7524c36dfcc280673bb67cc9d1846449b2365c933321d34fbff0d6faf3b6abbe17cc1bb00163285d955889fea1ad24821f48a3ff97188b7df2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 638f56b6f1ea3c228f683d336d85bf6d
SHA1 5ed70f9de347f2ecd768079dd43b42846bc92f72
SHA256 7b4f21298819b4c5a0dde164a43a4c79582e31f7e2c1e8189312966d5075661b
SHA512 324ee3594e98db7a50e7d212b702a03fd137051534f978d0e229059498b72daef37c1ab9f164a9cc77826db59cb19d610601f6c48e9f15acf8026e58b8425fc0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 ff3c7a2960ee6385bf3240f810db2c4e
SHA1 a1ae24ec495677ba1131f1eeed8886f42e0bcf9c
SHA256 c64cbbab6434b72598bd80d6ef5613abb0d3f34d3b8736b096f37b6bc1e03b69
SHA512 17fd05b28d11841545ecd3d922ebf863f66ba1053ea0becbdf18628a363678a6984a9fa703dab65e553485862345dbbfd8ca16c79f05b95ca4bb81b4760d8a3f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 8113797ea0ac5e6d19ed06328325af22
SHA1 3d44dc2625241befb3bc39397c39c4d58cab823a
SHA256 4dc2eaf3947d3ee1c1982d528d18bbd59632d55d967724bda90c0980db8616db
SHA512 296eabf0a8345e378835e15de8224a6f5573648dd2d0663617f2fa6301d3ce4bd7b5e5637fb2bfc23dc15520a36b178970ea9e74cfe0843e25bc30bb769d920f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 65e485c8e382879d36061eee9b017699
SHA1 a6276be7849793473f9c278db6dd7e6601178fa1
SHA256 4cfe5d3e7b7257286b5574bc927f1b7f5c60fcc2b7797f5708d19212dcb6d5a0
SHA512 d68c712b9ce11ee2ea5dc18630b3a4e38735e699ec91f7d07e03f54153ace7d323dabf914c9025ddff6ba23bf7cd77f6b58a2d93c8d8fe4670b5224a674c9781

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 fd8f1e181dd2fc94ceeb8d1b6a195113
SHA1 34f6629364614ea9cef129fa2cfb976fad376e75
SHA256 3e9c420f96007543ce4a5d58a5dd3e71d82f13243c828aa8d41dbb0b6be2a5b3
SHA512 89e61e872d8a417a81704967aad531b5abf0d3893927dbc18730682f460a6d50167d865f7d34f7adddf722a39fcbc2775159bb13f978cfc815f2e983227981cd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 effb931a275f741b57adbecae5ccad62
SHA1 92bce74864d0e02f99db2b4ec1c12ed1893337fa
SHA256 9dc72ece7f407a40e1049c7b4418621f189babde6308ef4b2ad4204cb04255a2
SHA512 4f34349d20b6b9d0454d0baffdc6ab353cfe72d6c7d8e617700c96827480396cc7823377ab3b0f6b73e328e14e78467600d872ccabd0fa5020784b9ca3130184

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 f4ecd07d97887ebc7864afdb36cb0b89
SHA1 34292c04687be4e10e3d62724bc20e2681a63c90
SHA256 32bccbdfd485030d923ab659eb6b930dd0b59f49fde2147a6356a7f7eb8e2a58
SHA512 c62b1da8b062ade7b9628d0552605f6159132f0e19fccbb7d5ea8e3d543b0f24c36d5b55a3f1aa722d08b21ed0ea7fd131f4f88524bddec1ce9351c1ab3b5d18

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 8ea2b6bef928b0e221a8a6ac01052068
SHA1 6ebc24f44be908646245cf7a6f087d2e8fed9b01
SHA256 a57a0131ece4edee58ee2be7c020fb2885a7445597330aaa2749710831fc3065
SHA512 b12bda64c93f9a2a6af3434044ee7c877ec23f0bca1be169d6a127c832a273777f04de9c18e33d76a022323f78dae5baebf8f147da22960ed0a93fce5b8b1049

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f8ccaa3e592a5961ddef5902d5a15bb8
SHA1 9d6f61a5c59d39b5edcd21e94dbd79eda138c9ed
SHA256 0fd9648e49ba895f822d62d03e217a4b5f878ac180ccd4685b9ca3573a3f93f6
SHA512 06004521aef354e675e4ba8f10eb4cafdd88658e1c401866d4799921c882d30ca297643b83a82af3e655d4e19a4a07568019869f1d7a6f2f1c734a76d57992d8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 ca2a391267c5bf0640aa46a466ad49a9
SHA1 129c53dd340466c5731760948fd8f4e8393c0241
SHA256 51c44fbd494a502a9a68720d257015c6a40b7d4e43bd09e90e5090ea75218ffb
SHA512 1485c8a7a445ff8b1a17d2d1e643dd32f76501e8ee44a7026c43c048d46679a73ca1983c51ec27b000c2dba4d6e4bfba46ceab06735e8c8f8cc1cee051e1a937

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 5770b13686c178daee3d5b7536e69938
SHA1 8c61934ef3b9f01002c6839b6c7a87185d888717
SHA256 026097eb12779342afb1ced8f08ef7fe9eb5fb13a0dbb3cd487256e5362a32a6
SHA512 bdae210f493f81fbe11c91d2e5f320601069af6c7660c14b578c01e73351af25735245de9084c8ab4406077dc634254e7b96b6fa7fea1c55e05221e5caebbe05