ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
Size

229KB
MD5

186859c4a251451ddde074d7395c1bab
SHA1

0902c8d7595cfea928bb4c47a4712f58e9a5f542
SHA256

ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb
SHA512

347956d4bac51b1220b293a202008e021bc3dddd6794fa23e578af6c5ba06155b8e419627a8f257df4f922724fc09d61eac25565de9b28f455585abc2384e758
SSDEEP

3072:hfAIuZAIuYSMjoqtMHfhflixiJfAIuZAIuYSMjoqtMHfhflixiQ:hfAIuZAIuDMVtM/XfAIuZAIuDMVtM/+

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4464) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 52 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe	UPX
\Windows\SysWOW64\Zombie.exe	UPX
behavioral1/memory/2272-8-0x00000000003B0000-0x00000000003BA000-memory.dmp	UPX
behavioral1/memory/2892-15-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	UPX
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_cup.exe.ignore.exeZombie.exe

pid process

2892 _cup.exe.ignore.exe
2936 Zombie.exe

pid	process
2892	_cup.exe.ignore.exe
2936	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe

pid	process
2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2272-8-0x00000000003B0000-0x00000000003BA000-memory.dmp	upx
behavioral1/memory/2892-15-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	upx
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe

Drops file in Program Files directory 64 IoCs

Processes:

_cup.exe.ignore.exeZombie.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\psfont.properties.ja.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Mail\WinMail.exe.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Journal\Templates\Genko_1.jtp.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp	_cup.exe.ignore.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe

description	pid	process	target process
PID 2272 wrote to memory of 2892	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	_cup.exe.ignore.exe
PID 2272 wrote to memory of 2892	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	_cup.exe.ignore.exe
PID 2272 wrote to memory of 2892	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	_cup.exe.ignore.exe
PID 2272 wrote to memory of 2892	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	_cup.exe.ignore.exe
PID 2272 wrote to memory of 2936	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	Zombie.exe
PID 2272 wrote to memory of 2936	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	Zombie.exe
PID 2272 wrote to memory of 2936	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	Zombie.exe
PID 2272 wrote to memory of 2936	2272	ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe
"C:\Users\Admin\AppData\Local\Temp\ce79c3201c1bc9bb2d2cb2fa53304f9f972ae2085e6a47fbb78dd493b6b769fb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe
"_cup.exe.ignore.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2892

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2936

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp
Filesize
229KB

MD5
13e7071bd63b64100dd7232e10ad5662

SHA1
3b2cd8556ab77326972e89aef8777f93406c264e

SHA256
f1465fd5f5e3abbf2b844e55b32e4a029d2707b6a6639f0b45102ec242f3e344

SHA512
2c54dabaa1bcef25f5dcd6ac473a81b247096b730b77d5b8623a12f8146bd83fb465c416213a592ba0766c3e7877bc9ec4cb001a0b36fc7988396f8f56492767

Download Submit
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp
Filesize
114KB

MD5
c79788fd0ef4bac5cc2b812a32857a5c

SHA1
5214a874c54af6b779a25ba90714127893fa51f1

SHA256
77c93986bb413ce30fa625b7d4f1c9e45330a10bcc9339c3d7f913642e354d44

SHA512
c3691c97a8b0c2eb60f9aad4b01b02aa020cec2b84a287bb4d38ac4aee3fa0935ecf59a62ec3f85bf3dbd68f7f20c55ce0efad08c3511b30063c74563b896b76

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
6.0MB

MD5
98724a0d31e07c8c966c30efdff98980

SHA1
b26f7d152ea73e1de44a3be9cdd0fee09ba83079

SHA256
976713e2a22ede536f1902363e4f05305f77ebc068b45b8bace3991975f2a403

SHA512
237b6be17a6934164d0ff4309635a791e4448e584e0273bddf08d917886df7c01a611dc064d3fc19ae52d01494f7db8f8d6f23c26c6c400ba4ad9718f9562f28

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
f6297b0b9213b1b46261bd1ef94d50e0

SHA1
9c2fe86237b41d1d2d7c831527b30a1c9d46436f

SHA256
37e377abbd0d5d63e6d510c28a10a5cdee9252bfc403320c0bf12f464119f148

SHA512
e81c026557c7f585b04dfdbaf260d8d2bbb4d809c91e8b6cfec92f7d9ec8db3d63e6da5fb7d6550b4e863b07baf6dfebc06168087af256c4f5f6e8e096c1c74f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
8.4MB

MD5
9bffd4df66b77a0a243d6b4b1c24c81c

SHA1
9c42f6665f77924fd929f7cbb76389bb6ab4c112

SHA256
4cf90be3f5a5e82031037bc39dadbccb164d7884a3e16f05a51cdc1f344e1eb3

SHA512
ae4455fb7e8740ac082e3c4e0d5673368c996f411a3cb75af0f593c44bd2b8428e296eebf26d547f87faaa4c2cfbd7b3da94f4365d001b6e0bf6ed6557071188

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.8MB

MD5
fcca1dc8f4efb4e1aa36d15730c4d59c

SHA1
03c357ab1aea21eacb2d2ff2dc38d2fa477fd40e

SHA256
a6316ff3e41c444ad8d76eb5868b18bbe591d60a42f5962c44b3cc6b6a4be898

SHA512
62c98b9977c1ccc570cd7b5ebd81e0ff6ddefdfcca29056d995acfc0f36be8400bc81de109884505bab1615a04d63b793a3e4f5b8389c90da5c717b0750db7af

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
145KB

MD5
4435cf84c1f9a4a1a367f70bce9f7c84

SHA1
4714e537fd897a5e2484ab1843d0983b6f4614db

SHA256
22c5f5829b5b5b4ae60cea77190f7ad37fe55f1c765aaf2bca7022aee12e9d9c

SHA512
6fb659765ba8ab00d81a48721669c9f27a950eb62ce3b69c21ddf033be60d434952adc182282784b859a58d607d267e2e5ecbbdfd94bca58073ba1566a7fbef2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
260KB

MD5
5677303884322a9c28b4bfa7275fcf9c

SHA1
ebae12521069481e93d07a2d2e3d131a67addb8b

SHA256
313698cf9fc561ce07dca9dfecf098223ed1bc4965a52bfcece59199d2e02bf3

SHA512
f147bdd72817182ab3ff2d1ae840b5e6894936c611302a2bfb240e6ea18a7b4b5279896ecb51728558afe5cc3f1332a214323989e090f87c7c02a844151ad00e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
1789a0536a25a6ae1808a7a6ff65e131

SHA1
482080a50c0bd338d7552d91cd3757505ce7de1a

SHA256
e500c139bb896b9d2cb44ea430c5379cf635cd66d119b452f68b30f9c5365250

SHA512
9fbef69f7fa7b3bedb7dcf84e161bbe28045694d9ae4bfef581aa4e72657effc8301ec5d318b94fc9e5278cb7b129f0ea61803fb1ef8eecd3bbdc32646874d2e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.2MB

MD5
326161dd90aaf897d37798b681cd7775

SHA1
c721d7ee788fa80ae1363c8a26ffd42cb6a936c8

SHA256
dc437847fba96180ba62badcc87c510f49db38aab6bb50dddcd85528730d6cbd

SHA512
04274c0cca1e68dc41c0db1e9d325d01ef1a6cdf0dd1e37e6542b501ac139d28751a0d65322f902c83539d574c52c8eac9bc69ae86bf1149ff880243911c4026

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
124KB

MD5
a6612f6388de3ec66b157fff51dd58e5

SHA1
4e57fb73838d9d49a5000c4d1052714f8230e31f

SHA256
ca8db4c429370b9d99bfe53b00e528bae465a7927bf1d2e2186dc33e48914b4e

SHA512
840b7b6941ad9503a5e74a796e553a1a3aa8c0005e6813c93d8c5eed60dba2ddc772d1862bab864c28f5a5d4dabd88f94db6c013660f8e75d4d7aec5a30e1ec0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
261879385bda6ebeafc5816f28651162

SHA1
3371d87272912646376876d026a790c4b6b2a1bd

SHA256
7f358e81c65c2e5f2e0dc96ca9eb6b28b38399c519cdb599763a8e6e72dab94d

SHA512
93af854a40b3e80a15b2645cb5de675f174675e6192a027a4ba1a995eff878fffb848f9b32a0aa6b7b94ea0d4a0b548d4c43ac3555ebacf00f7d07cd88260817

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1004KB

MD5
ad333be9794bd7cdcb03d2c8c77c8c3c

SHA1
02185d07516e91c5eb531a7db7e899a330ee7118

SHA256
1f8783ddcba29b7cba22095fb54b7329892c9b9420c648ef2164b04ddd6565bb

SHA512
2c45e6e7afbfa805723bec22790541ca75f312e72689d31568fd232d8b4985d1c2e2b269eecb61055e1e40c94e7e32c74b34d53c1500a232690c81c532babb3d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
ebdf4505245da5b3f74a98b893dbe6bf

SHA1
935824ede999dd426b1416d76b29d08808c5e507

SHA256
b3526153d1ba32100bbc75fa91f0700d1d65d569ba607c1d276ca440708a9e6c

SHA512
289454d1c3f627a9664de8e77834e4f6dd4bd368f66e18e89202fe6097bf805c09587e5db555fad946d3cc1537d2830ea821babfc44152ed5a69853926c15283

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
119KB

MD5
7a8229a1d2b3cb746cf63d23aaa7df5f

SHA1
22611cbba696869bc2cd889ad89933126dd37949

SHA256
0bb1b0265e6d10a63e87fe9fd1c2315e582d0555af940fc1f2c3e962c159b847

SHA512
d5734c8c8d0511d2ec5e365c04d4c970f5544eae9bb274d5cde4d49a677157f57afef5ddbabce627a13215410569a145e5b03c4d3057405157eb46030c5aff00

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
93cb958afda250d02f26290389024749

SHA1
fb8ddb1e611c45ad63321e635ca76231af623f39

SHA256
6ee0195f610bd8072fc4452e5855b79c65bb76b5cb2f7706fe668103e878d163

SHA512
718d863678952b6241da8040b480828f0a88fe8b589fc435134387f4d99fac80328cc3d872b4226112dbba89e3ff2306d033a5692a024ca2614eb2f84eee6e11

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp
Filesize
117KB

MD5
ab3774114031033a5df1d2ee0f86cae7

SHA1
b69c988438c76eaa543b4c0f51c5e9983d27d25a

SHA256
4d3eb39c78912f9be768caab3b6be22afb553103b2b20213d7d1b2e9e2e48265

SHA512
d54739bbb7e28c65be8c4282590048d0816963e9db2d9dcf8d973f954c832f490ce6e9d013d7070125f852d8597bfeea146ed553b1243b762eb2c25f32e1b976

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
bb6fdf0c6b6744cab27dd59cccfc522f

SHA1
4ee3965631d20b778e9eab6f8fde3709898bd433

SHA256
dc71f66eddf867dcc43bf8c956524ee325b84534f19a88143952658011b725cd

SHA512
7e9f94850914f733ffdc6127735fe8ef38b7e49e815a083385befecbe3a655c3ebb78dc47d02483676dd65961de9fd5d9d9ec4307b29a18a607450bc49c2703a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
116KB

MD5
c48e1c9231612b088518d326a95b8c8e

SHA1
c23c79bec3f51a9db3f87177335c9104376e4523

SHA256
e63fc629693bbe34625498dfbdd306e1eece50fe6a0a2f31eabc8adf2be2ab3e

SHA512
acbf69441d35b840ac62fa66f103addc27b83bbef00501ec5416450dff607d32d98780303525d8b609663ca779fa5feec1d6b369fa9fbe7111f6027f374a39ed

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
116KB

MD5
f59a72e6b314501baaebc1bba6e302ea

SHA1
15467a010bf55e994f90e61e016d8c17fddee6d4

SHA256
2fdeab8f39af4f0c3230a89ce784cbcc274d2bfa1ddcd56714bb5c647f80714c

SHA512
d418defdac47029b169ca83ed3a3683ed01d87e971cf5bdeba524bab92c89c7724274dfc4351b00fd38c3fa7c0b6e0ebd855a1f1896c7698fbc523b230db697b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp
Filesize
117KB

MD5
51dcbc2fc3c377a38f69885ec69a0863

SHA1
ecfce38da7f3b8aff8481b1d5c15c33a316ef8fb

SHA256
cbbc1fb2fa6528fcc32dc74fbd23104920ada4e487af96e44e391b715c2bc642

SHA512
1f5ee4b3a0ff05fadaaf7374feb4559ee379fbac76aef889763f753ac0eb1b9950ade37c728edbcc746f8176576fdb7aaff488a1a9ccf0353324bd6cd232b4e3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
117KB

MD5
eb6bfc0df642939d5f9b05590b43fe47

SHA1
b3e509d869548e2c3fe698637abd51553fdf3d4c

SHA256
95368942c4b5abc82b85c932c19f9b8606ce35784dcea0355fcb0e5ba7d854b6

SHA512
f14564973a2684aad1afd5048e057a7dca11e2b637c5e98a90ca7307936be438a53663ee07e9a6a652298be9b26e477613d3c2d50a069b5748a1e4736b1a328a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
120KB

MD5
c2e70de586bfa14bbcf801c6eb31fc73

SHA1
df9d79f5032333c4261e80b1ae9a18ecaadeab85

SHA256
510d957e0cc3c3ee06000ed486fe8e2d4ae16b28514dfec307c3e1edb3e22fc2

SHA512
6bd7dbf5a16afeccdb62113ce4fbd3aad2d81823d1b42fd48faad7b61aa7991f71e7d7629b6e992b22458281d4104a9ef1500ec2bc468b8bc8b44fa3a1fefa11

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
1858d18591a029d1fe1953592fcf2802

SHA1
707747a4800fc90dfdba5fb99e16f0e7660709b1

SHA256
c95c0f1569d5c38c682f543bcc43b8f1a41ec9b1abe617185c4207b1de9ee234

SHA512
89a92d1274e882afd42af44187703d2357e65cc62e1c96496350d230feee465d68ea8d51c329df56201d14262f32df2d406430fd16b910a0565a96ca082dfe3d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
90a8d9552a90834031a530bfa8b2cc60

SHA1
bc2af2b5d10701f37c41372b4a35006bbf71a04a

SHA256
feeff7e37ba217851d61f3e6a505b7d479634d0cb7ea528bb069e646abfdb8f7

SHA512
a10ed4bebdc283bb76602b034987322bcea2f54a0e0c47ece74cf0f5483b485409cba50213e8a41d7df859f6d4e88fd389abc87bf81071e4307aebc4c0c45c41

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
119KB

MD5
125fe3a3758289927e124e3386ff864d

SHA1
8fafd8fac639bae7a002f77e837939d90d4d2977

SHA256
2206a8ffc1fe882dd22a30e14605fbe955c5ef7962a0212f21fe231fd918272b

SHA512
325f9530b6635f1dfb58f893d2f7de2bc8873f270c9126c1d5607ec65c7d6a09e86a88d058e2278b678794649ebb75d112a8392c3effc6b65bcea6fb473d79c7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
948KB

MD5
6d24c021465645778425c0e14904c5b3

SHA1
f0173b573ff25828bd2da4685778bd8fa46b899a

SHA256
422d6b19be9e4bb31cf96b348d12a7db5e639f495710312b5465923df0eddaaf

SHA512
5e69150aa3b927dc93108797f33cea9cbb142738e1c75cb57e842b2bbeeb7769a46d73f0c57527196d455cdc20eed0c8faf27c5888cab0f6c280a4aeb7b7f173

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
9.3MB

MD5
11fd33dfc1ad7cd4bc27cd8088c253d3

SHA1
bf5bb7b1b176ae4237105361cae91b9bc40e0657

SHA256
9ea838e12687e07989296dda7d850804e507616765dd7398162955b4b77d7acc

SHA512
bf9a3f6577b69baaefd454f649e6174621412ad9522dd820bcfce852a82e807af60b2858d929cc2d8124bd4c666e569e009b64721215d9780b23a67f27172c4a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
762KB

MD5
1dc169c5e709fa68a89ae0c250c3478d

SHA1
e90f4d366665233d282cdcd994ccc45d4f0e1f80

SHA256
f1d23b74f9d7bc2d5ecc345396c84fcf29c5ae00cb6c79cd72089ac89a522972

SHA512
779c2faaaa7169b12b5695f844669b11556513fa1aa30a44138245050742f318734af9556f62d6fb06e0b841ac6bbada582bdecf254f2d1d2e9a3c5cea09bd94

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
4.0MB

MD5
cf09a8e1c69e8221f4531edd6d25dc16

SHA1
77bddc4bb3687f9dc43bd7a0b35ec6325361edc7

SHA256
07d2ab39b7afae40c0994632f5fead55bfad76b04f234ab3531d7ff063fb444f

SHA512
a4e627ca85315c9058ab4883304a6df152bcd0cc6e791110b3b306acc059ccbc2d671462da4a087bfb70f9028b20b3fa75d4e08a9abced5f38a145ddfdf235c0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
766KB

MD5
fc8e818d2a87115da940cbfa010f45c9

SHA1
85d30b83d542c51f5f3f6566aea37dd485fa0dbb

SHA256
11dd75a8c3b173ee460be41e137e232584bedcf8f60c966ba03314fad6fedb33

SHA512
36de20729fcd65437f02ed4bc60397b466e03703e82a17467c5fa1f94c0de4e457b0617a5d1826c0b3da23a2a6d110da32f1e9f484b5c23ae10af8396923e7c7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
749KB

MD5
55a0cf537a576dffbf3118b780f22439

SHA1
d66741b26bd3821ac7d59fe7ff5316b64b7534ca

SHA256
4490299b06ea7f2da0c7a2177ac02af15419f7b5d406d2899d618774becd11a2

SHA512
85fd4c468cf52c9f84fe13ab08a50f07dcc76d34161e2cda0f68dfcb1bde843792fdb785b3f68f771ead2f3985d5976803a89b1460f444fddd1f2a55111ebe6a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
840KB

MD5
b0979480d3c3ba3b3a4e170ad15bd824

SHA1
16a4d1096f0335a5fb09ad17db6818f29d468645

SHA256
27d86a5566e8e08810fecb619c04d62de9c12780fcfe9a90862972cbf20d1f59

SHA512
cc055759d6acc3c7dfa6cc959bb8ed26edd66dd40a86e9ea79252a98f5256b6641a1f111a0839191e3a1ab5b533693a865176b4a92649a44a7a520b3507b5b52

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
15c109e3a8ee5e61dd5734898a658e68

SHA1
6b76dcda2a36add632d06795248845ef61229092

SHA256
8d811bbaa456779d4da4a477ed25bb6f1e4e921f6639e50f3c7efcde0d2ad6eb

SHA512
8b6bb011b2f84f3670a16300df1be0f9d9b2af62a7deb90680622f0f659698fdb5275ae613949951548ab324e6e82d01a15c6ec3c5e40efb197a980907eaac99

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
16KB

MD5
4f209b2be95925755795010a294bd08f

SHA1
64e4fdbc261ae4d99acacc9f50a94432820b4b19

SHA256
bbe5113f357547b093005d8096a77f8224c13d04d8f4795a0b72e0ccd6ce786b

SHA512
94f3d7401f748745512f0f6a76a742b146ad9f2c6f08650e7911138da177333e21abaffba7d0f21f44875e6a7e185eb1548cd4b1378fa6965398192445048a92

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
3.1MB

MD5
f1a330d5e7641f8a1a3dd4a20ca0cb0b

SHA1
111ff1bf20bb27e56cbc20d99f551896278b586b

SHA256
9fca3e74ad58b13be41892d4307d4de18bb1d242b3394a79b2101c3e8f79f7ab

SHA512
cbfcfacf50277ddeeb03af57bf4930443c9898e95a0d01e2956d134c407ab8a88b9b71289412fe7b6bdaf8ac6574dd333ec2972d9f32c93ca789f25839f0308b

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
1.8MB

MD5
13d251ed880747964aebf190e044b6b2

SHA1
f0a12bbe2325dbf1f1d9aa62cb7c7d310bf440a2

SHA256
72f1f22782bdd84a3e2c99066fb5ae2e7398d9966b16aaf3a98520ec688ea701

SHA512
7efca89e1ac42cc3b6c0b7ea243b6ff78fe27161a264cd8200b64e176a81d908f69a9df15ef6ab977d9a8a4c10291bb255683d22ef3d47496df4c52a23970b29

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
6b0b0f4b41658da3985e4bfbc8a63f90

SHA1
3b3d183e46b3b36b0138eabaf5513530691c554e

SHA256
f47b905b38dd5c498ccc4f41160ed5025c1be50db08cc6d88109829f65861671

SHA512
04fc6dda738ec2915ed12e82334fe695bfb9373cfc130818d878019ad0afe0db66bf7fe7ffe14401f999ee2819c97f0d170d4d1d34719b83b053287158e37a76

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
220KB

MD5
fc128d5ef6afa4dcf7f3a6283104b620

SHA1
6accbc3c5f79ea988c3ff4370d661ba66606e9c9

SHA256
865b6b3f975bc7b1a29f8c510998e153e6c9ba049390633721e49ade83a0ec74

SHA512
1ee3500979d1e460edc6a0af5796df8ab11f5ca30c2b12738714252b52d0efb337a762910232a039c4581783b1829e19b503fe3af7d1512f242154679ffb0fbc

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
933KB

MD5
849275ca8359ecb174f2ca052ac67615

SHA1
2598348b0d618bba9d10f9f281654656e61cd6c3

SHA256
c7cf26932e191b98cf1235b6da1c4120db95dab202e8d2de204bff6044ff636f

SHA512
4e17785d47970a684127938c63e24bb886d2f891d7751e6932e70922e7a411da46aed37f01cb96521f58a7d23cd429b40a7493620e3ffb947489300b34a48aa9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp
Filesize
118KB

MD5
3400c01a6258ed43b09759ca76c00886

SHA1
d13689e632d72b3bd09bba2c9184fb25d03a190c

SHA256
0a7dae76a60dfae787caf3da29978ec1f95d54e408c67973ed15d9aa93734036

SHA512
1abaabcccdb425ca3b813a9f3e9205c0f3db45f7343a328e2c6d7bf14df51e9c7dd1abe01b11d29103b0db54a6f7da35b8f5f138336ff218f7c85fb4814fbca8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.6MB

MD5
b7960bb0d69264a0cb8c052328a1c3e8

SHA1
bbd61eaf83d3490ee9795f5ef8c1bb7f9295e5a7

SHA256
c75303e2fef8c18a9b7eed1c547d06e405ef1eb7b8f5efa34acda3acf9d5d59c

SHA512
f534ba8275e454225492bc4b00ba68e71a397f0c6b1b54239acca69c4163eef6c3d661ceeae40c196454b330e98359dbfa4d486a13ee399db8e145aa5954c48a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
5c927dc79e4e14bd02b2d08a908e21a7

SHA1
7951234eb131a536a9f6d511894bd1fef4de4a75

SHA256
55d10b30d2dfa80f0599ff60d438f0ab76b43cf48f50aef5caef5465d3efaaab

SHA512
8f8721a8b73c3097e5388e3a5db1dbb92453cf41f08cc54c5a041352035bdc6890da9e963b348a683c6ea121e306debdc2bf660ea33fc06dcb34ad7140d9c83e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
749KB

MD5
2da5ab7f5890c2ca0004f910a1e0723f

SHA1
e43b9630037f90d3a0fa1f3846331e9b57b892ce

SHA256
2539e7dee4aa09f31c7e0c3acef435e851d795c6b3dcedfeabf0682631a4c1c0

SHA512
9cf587894f52e785baf23ee4d9722f94b2580b788c7c86da405ec6857541f2acf78c84c0dbef9e4d33b80fb4b46c75e95e4edfdab8980c3ec8f45e2453db6d93

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
124KB

MD5
9b95a7848a273605dddbef5dc079757f

SHA1
4f93af5653d68c26985fcebd1bc1ab010364c167

SHA256
2240e0f8d8d15f70e0d851be5f58878a03b8f69f836879799bc9760b72cad644

SHA512
2d5f994b6e54f04b8557d46f08cab8efa4d53ea735c46b7dda0b53d90ca823a1904bc85d76b51fb3c7d5574a61c8271ee13e8fa76eb158418c838b7a99ea5358

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
121KB

MD5
ca98453a0284fd7240e624f596388f42

SHA1
b60114f64144b6f9c6e1bcda1dea84027ef49e3c

SHA256
5cc835dea2dcc11f5757f1f2615d5f3f2d639ea37d9d4ef9a16853d55753d171

SHA512
d54052ea34c34c65d11c212259b2de628629b7180e1c7555019c01fa4d21045e471f660be9738fa9cc7ec939c5b90cab7de6a6d005b5524e320b82788022602b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
697KB

MD5
a69aab3551aafe6b16a6d9254382f69d

SHA1
143b9b35b8ed26b1fa6ae04fad12007f07e601dd

SHA256
b6269aca0497c1ac7e9928bd1b628b04caf9d797efedc29a0627b4336d6af435

SHA512
b4f27735c2f601350383f19bc0d309560b6629849f17424fff6df110aaa86f67b0b2a5e3d2c25f1bd06af144018fe2b5d6e0c0ff6731a1e39c402b3f48e46e89

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
416KB

MD5
b79bb04a9525210ce84bce03dcecbd8c

SHA1
8924c5405272fc86ee992d7327ff536d90893d11

SHA256
9288ff0013759f163edf3a379319670f5d7bc5522126716a4e15d28e5a11392d

SHA512
9cd5864d7e316cf2ccc9de061b707408fb42a1daeb9e54bf8cba269d89c038081106d23f3131a866a7e43c1100f736ec8e576b56db8548369c187689841c3ea4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
755KB

MD5
852d145d089eee2331911a4548c312a0

SHA1
32440cf14f43ef170ce77b64cd86ca9f8033ec89

SHA256
13b9c21aa36c285e72c710866b17e08580ce7d5e49def9f1bbe3f64912bd5b8f

SHA512
985f765faafb2cb02baf48d52fa22cea37cc50026a9732fb130b9474b571de33b87655d981097c9ff241e13b66e8662ba93f8ffee31813fd4a4072e8a789ddc2

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
120KB

MD5
400b8e02c48e5bca2a9e83326f617a10

SHA1
87d6266dfbc4775f2513bb6cfd7e2bbb27a7ab9f

SHA256
8e4c97eabec26e66494fd1bbc077dd6978429ef51af944e298f0e462d80a5ae6

SHA512
fd069fd08923f6aacfa04b2c8eeb897bdd272b438a7f70fd8037d1554526e57e4566fa779e093fab6abe0aab005b40f6950a5fa61c6ceeb021a52376312f3dd4

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp
Filesize
117KB

MD5
050fc975663f0e2e0d512adf33f8e279

SHA1
1b1f945f0037da2d9a97150a0ca0cc1c5784f91c

SHA256
f37752d65a0b8a662691deb37ce9e3aededfc00d1933cd7ba0c3cce18c7be17d

SHA512
aa0b7f91f99f84282a9077b08194c7e627829cb732d74372038f87b6bbea40542137049ca282414f3406961a239cd4f17329b6c9dc874f4e587dbb92571783df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe
Filesize
114KB

MD5
4bf1fe4ca42afb0eb3fac6d053757e68

SHA1
f5f95d732537476f1611490988285e12cb68040c

SHA256
258a056360b2ff135999cd3272600f2d64041ffa9ec0488c1d46659fb85f2c73

SHA512
477f446aae0bec95b8c53a56f7ed280e2462aeef1fc19967a6d89f9bcbff4dcd6bafca75ed0bc179c596cf4cfdd2742bac9fd782b57fda8a139f25c1e7e06d86

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
114KB

MD5
61821c6fdca5e58701d251e7dc5d79e5

SHA1
8102af8fa7232a1a11359813cdff1415b0e162fd

SHA256
f70ff88d435261c878606a79e415f3400b09bca4f3ac912f2a0f8b003d42ea6f

SHA512
c23b0abba7ba05fa62492b2fcbf37908774b29158e9367df21d05626e3d7e8f49108aeb12701701bbb08f472b8c14defd066e37931ec396e5790c70993e81971

Download Submit
memory/2272-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2272-33-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2272-8-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2272-716-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2272-1131-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2272-1177-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2892-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads