Malware Analysis Report

2024-09-23 07:02

Sample ID 240620-fb6mrszapc
Target 35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe
SHA256 35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c
Tags
azov discovery persistence ransomware wiper spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c

Threat Level: Known bad

The file 35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

azov discovery persistence ransomware wiper spyware stealer

Azov

Renames multiple (148) files with added filename extension

Renames multiple (7405) files with added filename extension

Modifies file permissions

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:42

Reported

2024-06-20 04:45

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe"

Signatures

Azov

ransomware wiper azov

Renames multiple (148) files with added filename extension

ransomware

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\dotnet\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1840-0-0x000001814E4E0000-0x000001814E4E4000-memory.dmp

memory/1840-2-0x00007FF72FDD0000-0x00007FF72FE17000-memory.dmp

memory/1840-3-0x000001814E4D0000-0x000001814E4D5000-memory.dmp

memory/1840-8-0x000001814E4E0000-0x000001814E4E4000-memory.dmp

memory/1840-6-0x000001814E4D0000-0x000001814E4D5000-memory.dmp

memory/1840-5-0x000001814E4A0000-0x000001814E4A7000-memory.dmp

memory/1840-17-0x000001814E4D0000-0x000001814E4D5000-memory.dmp

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

memory/1840-157-0x0000018150350000-0x00000181505C0000-memory.dmp

memory/1840-457-0x00000181500A0000-0x00000181500A1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 36099ceef6e3d74bc90e4f597d70752b
SHA1 7ad87c4c6dadeb0f92d7908512c8ab60a323a556
SHA256 e1c717fc7cd8abc1b13d4359253438c1e7e6c3b1ae440876ed8ab5126a013229
SHA512 9dfa932e075163f674ff9cc58f5ca3ad1bd2ba31fa6553f185ec05634068be8a36598242194fb7984cc98316201d5ee48e941cce9c2b6e774b0ac790fef02c4b

memory/1840-472-0x0000018150350000-0x00000181505C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:42

Reported

2024-06-20 04:45

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe"

Signatures

Azov

ransomware wiper azov

Renames multiple (7405) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB9.BDR C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\offset.ax C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\35388700978233bea737cfba9ea8699b59b3ee0571beb7aa8a280bae06b1813c_NeikiAnalytics.exe"

Network

N/A

Files

memory/1916-10-0x0000000000120000-0x0000000000124000-memory.dmp

memory/1916-3-0x0000000000110000-0x0000000000115000-memory.dmp

memory/1916-2-0x000000013F170000-0x000000013F1B7000-memory.dmp

memory/1916-0-0x0000000000120000-0x0000000000124000-memory.dmp

memory/1916-5-0x0000000000110000-0x0000000000115000-memory.dmp

memory/1916-4-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/1916-14-0x0000000000110000-0x0000000000115000-memory.dmp

C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt

MD5 78ede93114e65f9160fd03d3357c56e6
SHA1 88d531b101e57655f1d0d26c6b3257aa2468d460
SHA256 c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5
SHA512 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF

MD5 8f0efb6c3a03cbcded3ea3835037535c
SHA1 2c67336c87a5a3b10b1b4a091cf57fe7f8626f98
SHA256 4158939bf2fd0fe6c71b6609ca0e2e9931cf36edc6a763ecd457dc8bf5356eee
SHA512 84f92f12785dc4a437e1cc6ecff668310df1f9a026629c5e8c6d5434b984b940140b1bde4a58402272625dcc0761c9938ce12a4c361596989258783faf09d52d

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF

MD5 a7a1d0fb558978ead2c8ced5a28a1a7d
SHA1 1183be02e62a3333c5f0ed79bd13e3e4678a61c7
SHA256 2c529ff3fc15b18ba893c7633a91bd47af8466388212771e3ba4783184c48df7
SHA512 0c556d9960ef4190718aa71bb38ec004c209db3a8d8468a297c9134a869729ecc66a22a765be5ecb636d6ec0e972f04950b212b8b043baa5771c0321a085cefd

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF

MD5 a30076f7cfc5e7b41cc91a8c4bc7e3fe
SHA1 13f93fc7c17b947a197364816530a50e6fda0889
SHA256 281a4013cc15a117f965ccf4f1cfded50f42352630ea8f2b4ad189862a7c9978
SHA512 196ea83c4925311e1057c259e3a16aa31fb5c665ea62fd98093a1be181ce9fc871d18a312c4b508267f8b72694f1eadb710afafd60e5058b79dfa448e86c857e

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF

MD5 ec03c150c752786788661e0f9a747d70
SHA1 54f6838ba49294804e7650419566cae6c4d5534a
SHA256 ef660ab61e131b31a2add7ceea6809ac2f9a451c85ece516e429f93382e227ef
SHA512 854ff9347ebce4a3e5d5242e8bde27c8a54e6d2a0a555db136a9213ce6a46e0cb150b52fac4d246e37f5c6e243bcb9fbfad602b09219cc7dc499654ac574e737

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF

MD5 d5b157d8716da6fefe91ef513f733d4a
SHA1 c0dbb0b84d7de7c9a0bfa904d0d0a6b14c7637f8
SHA256 c410d6be8b9b19414a09de41f7e399687e632051363ac9560c78042150d36e61
SHA512 8b2dd288c83bfccfec646833f73a521209b2e2dbc7076c3297bc5075db865f4bd45ab7384d9f76a7800fec896c5a4b54be986bba31a7aa880c2caebade6e1cb8

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF

MD5 08fef207a9f582d2d9292c68f53518ed
SHA1 6a00b5680aee8af65994ad4ec4a7de68fc96c3cb
SHA256 4f42698e031a202fe75b871ca737c3681e5c088fc108bdc71430261aef5f7121
SHA512 eb28afda82ab328c53671bb438aa606157781d55fa5bddf64bd051351487fe31e8165194876170afff6eb9ba966cf4352988ea663eccdf0475e1a2c4185eecea

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF

MD5 463ccece15f6bbc5cdf628ab9107bb55
SHA1 458df4b897b1802436da4c5aea558b521b9da12a
SHA256 cd257adf02f4d93894973caf2c8826837f0292b774e549eec82eafe204be6bbf
SHA512 4aad4896b9f37c23556bd78c58d33f6acfc10a133d89a72adbc33049cbab3f74e738080f4f4e4cd003e70212610fe29bfac377572f266d1d3d0b817a935c2911

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF

MD5 a91232111b9df55984ccda8c1080c224
SHA1 b981dfca2208d580f458dfa01fcabb65f0ecf083
SHA256 fadf2b1dfa8c545a372af9233456d7e5c795ff471b7bc194f90829dae9d9178c
SHA512 ddc81e3bd3f194393b19a84ab44e430d88d027aa8ad3453749b7998c1ecd073dc055c6cc596c2ec4a98a79eaa3a2e1a891822c7d0dfa98df185c2563e3dc8dd7

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF

MD5 0094dc406ec007253f0f2b924a0fec73
SHA1 8439e7bc60a94a7f3653b45723f2e477be3b474d
SHA256 a54e26c1faca74a41efca2db17627faae0b663f95adc459c60271d7f5dcb3d12
SHA512 c27ee973ebac469938bab210432e0db7c8e24102f6bbad75dc07cca380e0c7806ab7e5207dcd0c186318eb670361fdcad95998874a5f9aa6753bcbd1ffd2bb4f

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

MD5 e31dc7d4c27f820c95f049b07a579a5e
SHA1 31abd9093aaa5aa363ae4e45142c47a44893ac4b
SHA256 0c94802c0d874b4919c6517fc011d11c43a80c4f27a6b453f40ff5dda103be8b
SHA512 49b63e1277daf97cc25af7558c9756e371be765945ac302be48bbdb2495bfbcbf7d729e54f7e6a2cfdec548b4acf59207845fb383336fc5dd5533ab67090f319

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF

MD5 80e404aeaf920744dfc85e94536e91ea
SHA1 4f06e7a4bf72e23a1f93fa97160bf6bc3dc4204f
SHA256 f6ab4eea00b57b5040f3a6829f44ed220d9677e95bfd8268562b60900fbb2274
SHA512 142ef1ad11d5dab7a88f4e732ac4c85a61196276cfc3d501a0dbaf0859428bf0bb91618fc3ebdabaf40abd3f461dc15a2242ab577843a089f793414e7ded89d2

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF

MD5 347273520159a79c01c0605f06727140
SHA1 ad4a5887be1093181d2c7da802eece7b756832d6
SHA256 3dbcb113b6c45b80cc102383b1482349a99dee128b6617bf910abcd67e8c3e3c
SHA512 0ae4f1cc10712eb06ba0239e9eed999b82ce0d940610ba2aca08a7498a6470df9f5368cfc5d9d1e14d87ecfef9e761f533d1b7812256d7df03d7e9e1d53e6280

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

MD5 06d1fb52d679504287745c63d533ff70
SHA1 45658b356730d3ec404f8b3503a7b7fe9c924f71
SHA256 8a9552f600827b338081002427c4b2a8be2311838b6e5693f5260fadf055f3b0
SHA512 d54c2ce36cee2bee5cd9da2312d709ac8a3281e615abe349c2ad73868f1b791aaf4ec7244bf6a37a0ff1fc4c8e1d4a7d37d30e9caba1730533f4c473d6b9ae9f

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF

MD5 4874494e5dbf620f636f05e3c47525e7
SHA1 47fe469ba93f8cfe9d3de93eb54028081965a828
SHA256 c9082deee6b7807978fd57a2576e8bcbac0058bc8da988770b0073aee61d1996
SHA512 758a964d67d5ef9f264801509ec380a47d9380f10ae1b9dd7607b91b2e23fbd23de864ca53e773c350fb2746e4ff480e9f02634ce8a02b2be781f4e639e46ff7

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF

MD5 845bfddc0fffe8f7bb62933ca7f99e72
SHA1 524794dced1061a8a7c60b5976e8b74efdff2759
SHA256 38a63493198feeb58e92b4ca2d5906da6923d8ba6627bc8a5f0427266a32c72a
SHA512 03b3d1c31215253a2e3bb985932fe294383ce98d34c4c8850b75063ba26d1189130777125d014b737947eb6bd23b94e7fa42040f6e29772ba5dbc9bc6c164b44

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF

MD5 910a83df397c5bcb22ae069c8070864f
SHA1 5226ce1835b678196aad6734de5d94aaff0a7a88
SHA256 c791f65433a90dd8ac9a5003f3922793a94d0835edd9a1e3de1675416fc4bb57
SHA512 5b96cb8e1145e0da69305f464d5beb552f0bea2adcf790b88371b625a67b99c417010e2ff14e297116b89c33119af8469d3302bec0aa93548198e586bf4a208c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF

MD5 80cb675224f81974c3aefe38495c8d37
SHA1 9a6988a7997e98780015f35f0cbb58f62fd8a231
SHA256 a730475adea776f7339f1e8fe96241d40b3deccb41f555617e56588728edc357
SHA512 e8377ef6214841909be3d38d601906ab0d7c88b55ada096ef767d04799bcdafab242912f3fdc076d3cac7168370fcf1204b2619d4c9835c8617c380203aeea4c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF

MD5 1571ff26b01f0126c016affa17b79a54
SHA1 1750be19e5599d42e704c3b43a611f846f367738
SHA256 b7a975ba69197442d3ee4fe569b390966fffc5ccb334ea912e03b34c0fa70e29
SHA512 6b1add7070e999ec4477f6eb3f9cde532db72c8820b37b0b30dfd676e492a4235d8b8f3487e9e5e379a6e672ba5a2b72e573147548036637e39f1f744048dcf6

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF

MD5 48dbfcb257909e06b01965a658f881b1
SHA1 0c56c6a2aa39e96552f36ba1c8fcaf4750342845
SHA256 ffa89afc0706760609f4e1f7a27a5db88297e13d1251f44ec41296a579c694df
SHA512 a1357adda70611ba2ece2f494819cbc3b65acff2327a92753136678055a6fefe4618ad7e24fdefcc8b815297398fb3221d29d7abf7f1c8cde4b4d4ab64fccd4e

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF

MD5 6ce1f600188eeba696f7aea83e9096ad
SHA1 07c053f2ba48dcfa9caf9b7b0b264301ed2a8822
SHA256 f6fe822ae04201764fd5b068367d4e4121aaa507e24daec3bf69fdd4d3485504
SHA512 4563dd315119ff3faf8a5e5a31a6dc8d38b311da3b89f93ff5e6eac9f2b19883fe91dc1e021c0d93e508efce50298c86f7a013d0f6b5083ccd17f88adc710435

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF

MD5 a67fca222c58401aaa5419b4e1ffc721
SHA1 910bf6bde5670caca00f988397399023bc3d3d14
SHA256 3854fff6fb8cc9d5638bd08896f79d0d4715212b7a421be9475b70ca65c533a1
SHA512 8896ff784e02e815b94e3ec1aeadf818fab466184f8d6d7e13c22c7d1b9aeb98525e82baa61d273b4d2c21a7c6c5e19a4601c7fe43c5ff147f7e9e9890e37434

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF

MD5 3a62fcad11556dd4266670dce82b75cc
SHA1 9b926616020752295741351f1b257f0e1a1055a7
SHA256 c63f8710c37b371f8334d973d2a8ded75aec664dca0e74c0f396dd0b6ec56ee1
SHA512 1d833d4323aa5d763cd68e42582d22936abd822085a4552251324fe74adcfb589124bf5a91405aa28ec84c08cdccfedbc7d8542c2e52df58f33e7d1f6a2d7d42

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF

MD5 84562fa4015bb8e002c115a6609e9efd
SHA1 2488c31f464764de001c0bce80c7cf09d8bb7012
SHA256 a82c539958057b30957fca51ee4baf9efba354b8cc939650f9afe96e0dcdb5e5
SHA512 bdf68544b1a25691ecb05688dc7441a55202bddef3ed6da3c79fa3ec6ec1ce13337014fc801971c834d25152a7c28b7d3a09e50e1b27d3d823f901a7cbb1569b

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF

MD5 6dbdca6d785c128fbbef6c417d5d7625
SHA1 8023b6b84eb16274deffb1d9674fb938119a7e46
SHA256 e1b36305cd1f3402be77d8b392ad6dc6393c0a4551d1184cfa40093b0e950363
SHA512 754c8b37999cc1be05c62d78e29ab9c67d9f212bf26520ce7327b00ad4fdd3e8a1e8cde94fdf4c4a7ffe59555121fc1969837f5a8473a670c6ee652dc68cc435

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF

MD5 5dbc555f91a9aa5e2feedeac0f5dd556
SHA1 73831ecb8d271d147c5ba78834ac0bbdbac82a76
SHA256 5e1d289face5b727747341377b3f6e1b3d16dca10c2c0da614ee4df9043b0b07
SHA512 3ea3484e9da6624c36ee032d6da7af6245268f89863d75380a81036d6786f0c8b7245385c1093d21a3bd3193f4a0270ee4c24a7d9f1b2f108a5d27768b7fcbb0

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF

MD5 b3e29bbe92d0bc7bfa313127dcc932f1
SHA1 267e72781d0db8656e8c8af233cef4657eacc105
SHA256 6cf5e9a6235d8205856e3dc58d7b473660e9546ad29ce5a5e851f81d1c6555e3
SHA512 1a8f0bc829ad7c345e2e28c5204863e54b83112879864e56ea271946461ad9f506222c403c424d6db8b3db2d37efb1049c3b2b7dd25174c486265e37049f3e01

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF

MD5 4e4bfb26ff695d130d4064bc286c4426
SHA1 919e8ebd726a75d34f995fcd41920dbd6043d75d
SHA256 799b20789366d36d5ad95032c9fcaf6f047890ffaa2052c63abeb72e869cc908
SHA512 3f066288dd2d9c793db14e4f492db8fb40dd0ad7da3817905b534650d5c5cb01de70b3398d35f87a83d127b4d6b1f6e26f74153893f5c4a4c553b1e2a4a5ba99

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

MD5 db0d8ef641c2520352f73b2fe73aabbf
SHA1 20bcc577b8f3e784eb6f2f8f6d08bcd4009a6733
SHA256 334645f336546259556b43a3f9db82c3b409f1e5b012519217407fba9746a711
SHA512 b83c62962b97e7354bf894391e6cea0a3b281dcf4ced8ad46788883ae10c44cc01f8a08a59a47fea54a78f012b29125691d40f5b0ef2ced0ff98a2a2fabc0bc0

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF

MD5 abab9ef595d22f9e54fe88f73f4f23e5
SHA1 4072e6826fdaa03e3f0dac2fe0b85da568896749
SHA256 9f4253e42c919f9df20bad07b4bf8c067065c9e45f17e2c91170bbf8ada9a850
SHA512 9ecb21e68fa3572bcd22c7adda1eeb57e3556aea06600a70db9ed40beb1f2b01ee978b5c488e30d98c31f9def2eace46ae50f7cdc9e7a48b182601bd3119795c

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

MD5 40a0ffe3375279978e3c9d416d995306
SHA1 e4fe9e8565f96efbed1fe94f777aa0674b057c08
SHA256 8f65c54f22be8fc5dfa3386a234348bc89ca867edef1ac54ab9efb716ab6eb79
SHA512 4a0e5d6f28b5389505c6b0875537e9931bbb9c59afd4bca17cb44be3f39aa913d180dbecabfa89eb5b725e0e62fd60195758d1e03ceee8daafaef3638fd71053

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF

MD5 d25084328e7660874618e87567e27e7d
SHA1 8b244d2a1eafc7c0760f38c3025a89fdbe81a7da
SHA256 0dfd2c0df6d0ee26584a9186f3fe3a0b654b85e553223b95a49c9c9095479f65
SHA512 830f600c1458992b7e42b42f4c3b3cf74931c60f3f842211a413c1d84e4cdea88ffb2cdee0aaddf9936fbc55cb7b13c7a5c2a8807b95ae2943b0a675fe469cd4

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF

MD5 ed2bd4b293860d6a21488b75da39d3ac
SHA1 57fb3388fefd426700f5243ea2caecdcffe903d4
SHA256 ca9594bb33ae76f91b6d3607869603b4e5a38e221608bd1036b5942535121a26
SHA512 3117c73ddb7f3ed87ba003185ac7bbbd86220ef555b3d0d32202f64a590903d46bf995f1e67ed640ef18df8160befb391e8b246f9a0e3ce80310b4fd867d5cc1

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF

MD5 2953280c0bb296035b130d87f4424600
SHA1 3acd11a028158330242c2c1f2a920c97ed5c8270
SHA256 8e6f22398c202bc461570ba7a299d7049c227f8b39dce1814ba7c3900db09c9d
SHA512 17bfd8f8ecd97b936c663b75f7e8f8ae140bb5e7d6f89b993e23d0a151ac661a9b87f430e60eee012392218464b6ffd1bf4593aea698a178dff9e4b8d83c2b31

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF

MD5 9d42088fd671de283f14335a25f5ce75
SHA1 47554c3a3d2fe1af34a3c9fd340514cae5536309
SHA256 69c21f91ebedbe6ccb3f71388c4ed63abeb1b9ac486985b4be4997075b536953
SHA512 123753fb331f13e2b6db50b6dd86af03503d51110717573d6d0767302c8632971de9a0d98c987b92eb986bc7297747fd0de34e74727e1e5d4465cf2b74eaeb38