4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
Size

132KB
MD5

d6ced6d09aa84e5025008c7faadcd340
SHA1

738a2cec0aa7c19ad48b9f929d55dbafedd8facc
SHA256

4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9
SHA512

916548d5d542ef507163fcb3627eef457888ca19d4d8a165ef48096570e8ff386222aecd7d833ba9871783dd8b67564e9f3e65fdd4501ec5f93bfa63db43144e
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8B8/8ae7Zf/FAxTWY1++PJHJXA/OsIZfp:+nyiQSoFk7nyiQSoFkK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (776) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 45 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\_MS.OUTLOOK.12.1033.hxn.exe	UPX
\Windows\SysWOW64\Zombie.exe	UPX
behavioral1/memory/2748-8-0x0000000000290000-0x000000000029B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp	UPX
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
behavioral1/memory/2748-61-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_MS.OUTLOOK.12.1033.hxn.exeZombie.exe

pid process

2636 _MS.OUTLOOK.12.1033.hxn.exe
2692 Zombie.exe

pid	process
2636	_MS.OUTLOOK.12.1033.hxn.exe
2692	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe

pid	process
2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MS.OUTLOOK.12.1033.hxn.exe	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2748-8-0x0000000000290000-0x000000000029B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp	upx
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
behavioral1/memory/2748-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe

Drops file in Program Files directory 64 IoCs

Processes:

_MS.OUTLOOK.12.1033.hxn.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp	_MS.OUTLOOK.12.1033.hxn.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\BlockLimit.mov.tmp	_MS.OUTLOOK.12.1033.hxn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe

description	pid	process	target process
PID 2748 wrote to memory of 2636	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	_MS.OUTLOOK.12.1033.hxn.exe
PID 2748 wrote to memory of 2636	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	_MS.OUTLOOK.12.1033.hxn.exe
PID 2748 wrote to memory of 2636	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	_MS.OUTLOOK.12.1033.hxn.exe
PID 2748 wrote to memory of 2636	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	_MS.OUTLOOK.12.1033.hxn.exe
PID 2748 wrote to memory of 2692	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	Zombie.exe
PID 2748 wrote to memory of 2692	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	Zombie.exe
PID 2748 wrote to memory of 2692	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	Zombie.exe
PID 2748 wrote to memory of 2692	2748	4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe
"C:\Users\Admin\AppData\Local\Temp\4d41f6288ccd23ed9f23d1d177a4436308032d3f0177d40eb427f418b1677fb9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2692

C:\Users\Admin\AppData\Local\Temp\_MS.OUTLOOK.12.1033.hxn.exe
"_MS.OUTLOOK.12.1033.hxn.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2636

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe.tmp
Filesize
132KB

MD5
94295577c0a84c6554a5c5f7e7714384

SHA1
cb9d7b5f8d0ed254ac3a35ddfc44eca3c520454b

SHA256
cccd666ce97ea5cf15a01de3e6120f5d5253a1bb6f853c518c25525527697878

SHA512
ad08da5547eaa70bc3f5f982c46b1bb5536e0977e6dfffacfa6640f0f3ca4bd19b2f7707270f8ae6d988ad85589fc528f94ce6965bf0f2189ae04946e3ad2c23

Download Submit
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp
Filesize
66KB

MD5
2564804b52480c6309e68fee68df81db

SHA1
1c03e85f8cbd94a77c0aff30319ff471129357e6

SHA256
e76fb96c0de89453e2accc75a96d4e7108375296396cb266279ade3ba7fd850b

SHA512
e67bf7df8ec6be33ab902c946543b9cd263918e46e4379409f108c36c074f9ef7abea77c3e0f24a8f43fa20ac489cd2703517258ca0c3ac0969e4cfdc85d3d3c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
9dd10ad66613a065bb4720188eaf8ac4

SHA1
450663b4ef7ab1f24351ea002adfb261a002380a

SHA256
c9f49e735d4b0c3e2ef70e4ec79605f369ca523f76a65e2a82e75f5c8115cd97

SHA512
74f4b6ecce5c6d30926bb06337e78139ec4d5c84ac188f406d0db5fc23303f04d2369c90ce804ce6629eec7fd6a466758f1e15b4cec6fec8c389c738df088900

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
75KB

MD5
90f9df19ca8482063255f3d3baa2e487

SHA1
fe0100fc3e34622dba572e5d5a75973e1b186661

SHA256
c834fbbcd24f022f0a3321234a5c9e28c6f13c4aed4ca2cf5e487f6cc8226cc2

SHA512
0fad4f387f11dd90d84c08a3898c8bc653b5cc842c5018eeefe88425c14c2b6a70bdba90d96330b5bd1782254fce317360ef25dcc1c1fbd969d0f4734d1b9e7a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.3MB

MD5
3fc07781cc6af77e2bebbf0903089182

SHA1
4f4622b0839d74b44a513170e4c47d8837e637ce

SHA256
7e4f92c30673aca4054794732d88beebaf06ee34f6ff285d1701d5276d78c46a

SHA512
21ef29c2a1070ff71c195e357fb5fc72c77781f049370ea593759487d9fbd68fc22e8deb801c03323ad7fe03b02e7cab75d9399c018f87305625cf73c97c3db2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
9.7MB

MD5
a54e73320fac886aaa9555d682085bcc

SHA1
846a5ff951456787d5e886d2ed1e7c5b30a1d393

SHA256
83f7cd966ea26855b493164956f1962f07b04611730f5e3044c2de069d22f93f

SHA512
ce0d1f4c455d5d8e01d2a19da8408a42830b0b5638e5c9a3dbff5b97c9a08e03ae083cdfc9eb8ea2f8ebcd3d5b3b2fd668f458b56bbeeadd77f86168e7cb8f6c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
e8840283cd07560f636c946d04e0dcfc

SHA1
496a91fbac8bfe5c332b4798b5af60144b685169

SHA256
9c493def6ffa476e87bfdd2c9fd56669cdb2150a5bc2e20efb33d1b0d2fba850

SHA512
b343c5f8eee78199457267c408478b6c81b0f8fafd72d8aa8995f4ab5dfe59876df48a243b8fe0962b4147bfa854ae06da7392fe952f7c8dda966792101be337

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp
Filesize
83KB

MD5
5f8c5874a4b5eef007ee765a7755dec8

SHA1
706d876d596f16f98ff38566d1358a2be085aad8

SHA256
86e240c6aaf353c8250cdb1a81b73647ac64d5b85185642168d78ecd6d0d010b

SHA512
f8e92712e295a5dd9f13b9069adb582447f9e44974d939d9ef8a632da97f58119255788a1cbe6e969c7bd1f21228466ee4f24f0d145b01d70eab4dc4892d9c42

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
96KB

MD5
b8631eb0dd2dc509401744786f9cec6c

SHA1
10f86108a34e86fa8b5db07dba56f157860ef22f

SHA256
74b985d7c936d1f4de3a242ae9847a70e0c92c550bea5980c804481d0c243579

SHA512
8099b857b78571fdc6fcc6f8b29acfb5e686c00de7f5adebe6fa967496d05e462ae6be13f431ce582b389d48b254c5561275792f3b6dda2087db3b2d4e570b69

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
64KB

MD5
c366fe1e3f2e15dcf920d1b9d4d5b11d

SHA1
8840ba23cb0f8ccc01f9a93925d3574671aef50e

SHA256
d48aaf0b2104da7b6d578a790fa2f2dd87081d7206c968c0c15d42796db58fe5

SHA512
1588ae9cef6ce6564144b5e4f3513e585f1dd32bd7c4db0d1769f9dc31ffd25f737aaca1dc1baf4bec30d4ce53d627c4a5d3fbbd7d5979478dfcbb43582d2d03

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
212KB

MD5
468ac4f25a8610b27cdfe09e598998ab

SHA1
2de43a923bc843a05b1928b113f234bcc092c71c

SHA256
9942900347e423882eda77062df1ff1ae0f954c71bee6a725f2807dcf0c82cf7

SHA512
073844185423a0cb44c8bae8ce56c8982afd9ea57732af5e874d94a184bff2a02860f7f3e4268c464b23da598e0c20f243e96911c29d381c6b1937082a4cc013

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
68KB

MD5
a60758d1ae674324bbda73a6162010c8

SHA1
0dfcf440b32decbbbc21642cd2a1be0ec6ef3392

SHA256
109205756dae7a9efd25de344d71a2acc7f429dbab241538f15b6915064830cb

SHA512
d7fccbbc1a45d8d54a36b5880b87c103900586b32a95cea026b99140d64d614b54ccc982f52fd5037c85c364efe416ae2ae7107b14f3a172af6c8c6f2d2daed8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
f87d75092881ac25b94bcd5e0fa3d4a5

SHA1
a0a1e4f910b740c1f4349f55f35656c30216defc

SHA256
0a1e2e5a737faba1065bd87528f968dcaa9352b5301696fec3a0f3012768ba04

SHA512
2e43b73eaffca6174d670d6fe6fcf3567d8fb6fdad1904472d61956a88b473626598a973d98aa7408a66d00b9d066f75ceefcd0dad1c72b674859bd87237342a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
416KB

MD5
2bb9a454938b2b8b8b93fd3eb6092a43

SHA1
b83d0fae9f6d4e153d7211bb932f8f55cffafc10

SHA256
bf795ab7de231fffa207dc70911d8ad5e5ed5417e12fe9f5582b6934493c957b

SHA512
9e49664a2fa7719680cdc6c819da1ce66be0bc0c27b38a1b6e905c380de451a7f7d2b6d906cf7dbb0a867ebc43143864d382a6f9712da668dc9dc74d0a0314a7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
488KB

MD5
89a21bbe9a018709d2a5a062b0eabdbd

SHA1
92746cf436a1bf6e12093c83308203dcddb5890e

SHA256
289b2d15fd7b7ebb79043eb3162a36149c566a7f42e572d883a9ab82538aa86e

SHA512
8e0bf27582c643761f6154437e361bba8211fac63647cf50ed860b02de3fc918dc5f30af5462ba3f027f7a27be3b8ab969b305bab96afa862e78cfb737f8fd46

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
188KB

MD5
563d46e813eb9204d2ad3eda6db9c2b4

SHA1
ae5f5445bb6df759c6ada0e02614907fd8780d3e

SHA256
eaa503c5415097db1dc76e3dfe3911339ba9a62ef5e9fb60ec0ea8bca9d1bf79

SHA512
7360913f0a25aa1e18081212a08ec67a3ebd84e1d2b60645e023b55f9bb4a45491b361e4fe5f34020d7bf0818ae46659c2c0c204d4244526c596945efa0c0553

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
09cd026239129bcfd5ec1b39d66f9dc7

SHA1
813558e694140127a3a33c00dfdbb40a841e6d71

SHA256
8878455f86b3baddc124d02ffc12013ced582bbfa54bafc53fb0636c962907ba

SHA512
8c30394f3649e600ae6877b85cd1a0d6f01d9e34f9c23780102de3fd77fa247aac9e071c48e3ff067bcd93e6f39e2800a7d9fa1c3f4277b76785b3e6ace4468d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp
Filesize
68KB

MD5
81a73193c5d6993ff194780585ec2091

SHA1
256fecdafb1bbf848a5630d93e53029d251de7cb

SHA256
ac435ac0b6e7971a03277c55217d20bc222b0f21f8ebc6b8607bed72d236c60e

SHA512
217c228e69f1bcf1c8e4f587e4415265124ed8b5f2b9c54559a7cf1cfe5d5287bdf120d99e3ad491e63c23c751cbedcc6f7e48e4ba256471299d173af83857bc

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
68KB

MD5
8c834596b04ca341ceb2b38acbd1fa78

SHA1
010ca88dedb38b74d95762b4310a222eacf4f74b

SHA256
aa2304ff33fa438affb7a560b7e3a95bad12dec1eb2d6b79f5fbd6bd7a1abbfd

SHA512
bf8468be0fcdca4a120524e3e726a64505ae0f86bd92d7d8a8cad44e3475a84fa20634789223f96e9800e87393df847834b3f1cd51185611a8762643dc09553f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
8e7ec56e2c6eee17740aeb66d2048e8d

SHA1
e72d76cf6a47ea702198f5afb3a8725c057d9513

SHA256
dc95ba80c262ad57c2835b813fffab9f2234b3e0475e3aee8bdf3eb8aaf6b7fa

SHA512
fcc6dbf1a44a40fea7be49c51c2aca62f997ca41e6593d0b4bc3f84770c2007107523a660357144d2f3c58323f90f50edb4757aa85d16ee789d3bc44816d2697

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp
Filesize
69KB

MD5
70f4c4af9f787b2cb57cc2a63e3a8b39

SHA1
63b5a4d2d5221314f32311c4a8b5d2c6a0113e30

SHA256
7f881a9a75562ba92ccf46dc005ad54a93e75a84cb901b9c6262be0acf8ea44d

SHA512
6852feb99476025cbe97656dc2c8b57f3b8deb9e339c227b3b23bc550d5bb63874b0fde2b87ef1f0c58620564ee444dc7f8151bae86302e1e1b484b05177ed86

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
68KB

MD5
7b724aa4264d07b88413f17d75dc540c

SHA1
d8e017f02ca39029b0441bb583bc7232630f49b7

SHA256
9e3bef7fd24cec7793914878e13541b49a4a3d1efd2d76ab9b32979ce5576f88

SHA512
9ac000d2c34f44af925933448ff24d3b8b44f637331019b327e69347e4c10be2131bc2fe0512af6ed8ffe16eb1cd391f7860b516a37f0528dfcced0124416be6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
648KB

MD5
ece996159f8f8d26ef9ca72b72f1b166

SHA1
08c888ff6bc1ba83a19cf4e0ffde4af8fe60ae25

SHA256
ff1daa879e2d03982a2327fce7310fb3435a7e1f04014a47f72edd14af98d015

SHA512
4a7ef0959accfdad6d6cc9839b2533e9053c3284dd2d08601736d201d595dd000f62a901f369a262403b339aca08d17bcdd760dd8ec3fba1db43d61bb28f3ecc

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
1.3MB

MD5
bd12dc40ccc4ad8f998f9b2cbfa6944c

SHA1
800966d05aabb58f27960fb8a4596107d6f0322a

SHA256
83fc0799b0916169e6d777edcb8654edf93cd4b457e0f838f46356b65ec68940

SHA512
11a4e3f66ab17a2167706146b82dd435884c88992068c25d7344bb111dcdeccf9f6563d3b6c716959a9b232b322d63ae542b6a5766bc7a66f67468826049dfea

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp
Filesize
72KB

MD5
2c8863dd3a37219f835d466faed69e2b

SHA1
c1a2325feb5932ee2b262200f1397f9dcb23f6a0

SHA256
52b94b2b0e09817ace8456ce1cfa04a266f87498a74845a7ec47afc7f1c29f2b

SHA512
d2e698849079c6db1bbd264a2e09e490f171fddfd1bfef0f10e4cb82a81c4cd8822553cfd9506da18d9261f00add9a87279465517213d7fb0fd5de67363591fa

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
56KB

MD5
119b7db20f2f573c2c7c2fc40f34440f

SHA1
632f843e59ad84e66556714aee4edd760086cbe1

SHA256
ac0d79cf4d591cb80bef3f9d98239319a4c8fae369bb68cca9629ae9273c0a1e

SHA512
2a1976e61d08df3ad405bb28cacf341eabe235fb64f7edad72a7929ea44c8dee0722eb52d812c991b2deed37b16b7e97149f39f086b51e1e016ab2d5d431e853

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
70KB

MD5
a1955c59d9dc1ad4f2bd8522ddf721c6

SHA1
bdbd670b191878056eaf2788924edcfeddf6596f

SHA256
b1d36b4b7a7fc6e72c5823d8cbf0761dfeb0fda3120ca8481623ff55e5737643

SHA512
7bc9ed9b96364fe50bb394d260b47b41390a3888a662b65a02ecc846b9af603644dea340ee53910bc5d96c9348c1113be74532dce689220398861b04719788be

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
44KB

MD5
f160ed745081aac47f7456d5e24f9934

SHA1
b621c1246c251dca08cdb90c46258934616de83c

SHA256
b16fe4157dc7686ce35d4a47b0da48fd3205953903b93959ebf4c93dfa44d46d

SHA512
8c26c9d70a8347990bdd90e434b99b7dc23b5b75d0bf2bf750b32e94844e60c4cc174091ade3a82bb9b9abf9a271558dace3f0a9f931636128d4855da0108ac3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
72KB

MD5
94c7e5aeb64c770d834dd1c1be5c89a0

SHA1
e289d5032e59298ea6fd57a3a3356b56cb62e231

SHA256
f6c97fc1d395327c889f94119ca4a4a5d5524f2d34e796e65f4105711b8e0024

SHA512
478200d5e99c83d612bff2342ad05d3067488e4bce4f9e2dd4f1914f75e1d7389d03e1f2d41157afba56ff9d08f7401b92f4f069c5a7fb4af3f3677c7a682ead

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
708KB

MD5
66c87f4151f0bb8ba8ee9ee1781b57b0

SHA1
38b29c6dee26c6386e90213e195a115faf336b06

SHA256
d4d7409b4109a55fa5ea5896a2e216357d9cc3176494dc01761359a95fba0d08

SHA512
fb4f74f841c5ef96bdd92207641babd3c2921f04d2da1ab7589bf820bba8134696cd0d3869019faf664bbe0100c21058e5268f3656949874c1687141c5227088

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp
Filesize
68KB

MD5
247bf021aac15c88d20a23ddb7695feb

SHA1
2fd0df551cdccc21b7c2648d568d3282b82411cf

SHA256
b37d2c3862d6c9e5736caba24c88ac46e5d112fcd78088c7a531ad234a68682a

SHA512
3e75cad9f72e9bbe11d7d8837dcaef8d3cb1a4d9909e1be538d185ba0e6302883687e0fd29eb61e83b53940a79e21725221adba40109874772c18718f172faf2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
2.7MB

MD5
481a5efc85ad0ecb6b5875ee17ed658b

SHA1
c2314196fe9409afdfd7003c8f8f47ee5c0f87d3

SHA256
f62048188fbbf78f06dd1accbaaeb2d8a72057f190fac9da246a174cf4d5841d

SHA512
c5b1f8fe15bd6913e766fdca44623e85b7e53b314cd1702ce4e152cdbaf9bc2e61caf4cc98d7faa26e47cd7078c58337f95be248c7ae9c905cf5b91327da222b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
714KB

MD5
fa3538fc4f033f87736fa9f1913dd6dd

SHA1
6bedc14f239d63e8d2df122d29d8e5b7da413116

SHA256
0ea9196c80cd7a9c1b55a87f5d7980f1eea8f75a7b7f942228705fc58e1d6e6c

SHA512
3d92065c3278d1d0e23dba9552bf3be4e28b2eb29194f682799d189e6380b4d5936466a7f0107d9a55c579d03f3e13b91843941b6df101b9c8042c19e8ec0289

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
714KB

MD5
10da74424d0db57a89296803d585a58c

SHA1
70c81a91f5c95a06ec7dba7a9bbbc26a1d4c7496

SHA256
e6abc30ac317699399a7284a928b5323c7a2645bfa8344f6858cadde35da6662

SHA512
6be4a39894c9dc89f0e027e61eb66756267b7a74962ce8e22f2df21d1ce047d1892d62f2385e283593db98302c0606f5da2094c0d78c2e181e1f587d09661b28

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp
Filesize
69KB

MD5
cb7d0a4d35179d38cebf1d7b5fe6f4a7

SHA1
2d02227d7f4c36c096d46a2d89fd05ddbd1bd4b4

SHA256
a5543288e7c391af5fab976e8566d590e051ddd928cff1c3aa74306672dd6bca

SHA512
b02bee9e78cd534c8a721a0d925dd9792294aee1c15e1434394a5638e5b2941efe2ef04711112c886d56adc37ab4da7b66ae42a2d0b1936896724b556a3f954a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
508KB

MD5
ffd11ede791db02b7c44a53e594782a4

SHA1
4325dac3e619f3a7a652f55680f0583145cf4900

SHA256
ba1cf61775fe1d6ceec4d92bec5ad9f6f6fa9367367fe111171eadd4aa0b091b

SHA512
a4403d9306088eda61662de657b483a49e87f9f4051da7dae1e979bc96c80cb6d589644afa306b76c3e9265dff889d8002a7d34ce0206519f92abd9da2ecd0b4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
64KB

MD5
b6f217cdbf846b7c42cf29c6cbc4a088

SHA1
0b7b6660990673c44089ae22395b0bb0aa17de56

SHA256
7a4f5471659a794298dd056b1cd1ac882462c8349525c443d564178c85e0fbb7

SHA512
17c0b688ffb2f54dd42d853f90b373538e5de15a917ef6846d18ba65e72632db22746a1d1efd958b255f6deac8aa2397db4a8d24352251b2281cf63a38bf636a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
24KB

MD5
0f579c2e9b1dc9eddeb348a2e94a35f6

SHA1
c3e92db57163fd0fb50a8ab219fb41f7179ebafb

SHA256
d615c78238d49935fa5f773b4ea7366ffa9eea32ffa4b7f96f5a2d279ac52060

SHA512
d29f685d78d402195442263f6de33f8e33f4e7baa2b89612387dc1810910b36658e7bac5b86aafff8f34890ca51df7d1596df8dd3c5f7349f6e7e3bf141032b5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
701KB

MD5
656a4c485df69880744f36205d197904

SHA1
fa1fd8446ba9f6d27051a069ce366f22bdea0d4d

SHA256
366966b30abddaec1395ba9b50a8ea5c833e1f8f5c4403baac1bffeb93abcff2

SHA512
4c47950a5c1c32947efed0313e229d555284288e76f7b981e3325a9f8c3d9c6d209affe2a3bb6e69fdc14b3a48d8b1789ce1aea85e286ef78ba657dab602d12e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
72KB

MD5
d707ed0221580ca980c49ac538fc7dd8

SHA1
43aa375dd0beeed01c454fa67945e8707ef2383b

SHA256
76a9e23685bc2debaaf64f5b22337aa1f7fadc6f93dd4a69e30295e751663ba4

SHA512
85bd5128849512d4bc17830078fb90c656c9da3ca35e750ed46331d147c6f470fad161029c2dfaddaa157aeb58539208e9093939aba8b7f4e589f426c0e7eabc

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
15.0MB

MD5
bbbd9206f932008a6700d9f0d87ad3ba

SHA1
e91b707e8abbfc8ac4abfbe909f00cb4c202b800

SHA256
299240de5a524200d70336bdbaa5a9ec0db2cf4b276d5b46f8112408aadf5f0a

SHA512
e8e8d1b8442a7fa5c5b4d85b6d8a312d3e68cc824c14e1437d08087b179c8a0f602a2f571b7130ef677ddf937e7fa14a742fd6ced20261697d97a3db66197f7c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
124KB

MD5
1f5048d45e675529c87e6e7b9941de06

SHA1
ff9790dcedafc9fb8b45a04c1c4f661b90f80757

SHA256
6c5da646e8f36e815058bb0322af17b331901065c6b67e7897272774ebb90ffd

SHA512
2ce1389fed4010b9cc9f50a4fbc8e7d3f1f7ae3bbd9c66ec4f4cada1c56c3aeff16af5883d6ffe5c94462a7d788442ffcf734fbfa5037133353709e3d361d264

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
52ba71a9c67f2bd750928ac92c33f322

SHA1
09fdc2aaf39eac47f58d38eec2f8ce2c648274d6

SHA256
8fdf6b5b28656194b3652b287c6d7605f5c4c9b72060edf37fc7c45ff2175653

SHA512
425dd1f21cd3b3a4138305cfd0dd72f94b6acebe40e4d5d0d7debdb3d730f0732453e6fdef6d282caa8518ec8b7cbffa2c6c9c531cc7852002f4685ed03503cf

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
404KB

MD5
3d57fd355ca9b954c45d0b288acd22c1

SHA1
f4c96858ae9fb29c7ca096451d41584349ecb1ed

SHA256
b978adb80ffed9e9fc52a8573627b20d1e561997864d0a933d508a5d18d5794f

SHA512
111c602e7c7ae8418d1e370db6c44f9ef97c153817dc03f35d10e491c61114d4940c88a78eafd4405d69cee94dbabb354a0e936f2b8ba8d8ba0c7f404deb86d0

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
1746a50ea9b17211314405ff4b8b5abc

SHA1
cb4105a74696b7c8fa633cb1b420d96c91d38a0a

SHA256
c17d82319e57994caaf666cbce4864572d941d7d21a66c06992c1152351e593e

SHA512
a337f562ca9dc64517225c276a58036427eda2843e752614ecf08b1de47dedab49839e0a18029a40949fa5605dd5a9eb3b6563a5c5873a0b37e466b08d083a88

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
70KB

MD5
8f42266196a71f505c6782d5c54ddf7a

SHA1
24126171dbad1f472d84e1d1edb41c8a7a43b2d0

SHA256
a7a6c771d487211de8ed7961041cbb4ced36ec159d3d8222f42a20836c32f4a4

SHA512
edc8c5352af42f7d281bb125da289b9d8787b6074c679c04722739e0d70b3c209c546aac1921ca98075619673478f6e2f5a49262c8fe5f6fb122fed56bf3bf1a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
2.7MB

MD5
29789b4126709a71c9407ea31d9889c7

SHA1
cc7936df30d15bb3d6944b666f884448e088096b

SHA256
6058fec3b86287f4abd425e145306c7ecbb58a37f597fec5a42284c4b4d60ea5

SHA512
c38dc910385d36bfd361084ec15c9990649691b6608495cbd896638d18b1e110c2aa5d225e3a0d3543b9d4087e0caeacc2b6696d6e8d3145c126c332976b897b

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
0f38e6208e1338bf5072878840ac7ae6

SHA1
87595e4fd3c6c9586df4a7304e56aa883a36383f

SHA256
e87cf1f0d7d89d540f641e7407e37769d810f1f8ff43b89cdf81cfabef56225a

SHA512
71879438c8ed5722aafd2fd41990baefc737daa49e1a13b4e2a8b6db3d2c5315685c51a1d5b6abee1b5de39dbd7c1359b9dbf75c5ec4fabb3542bdccdb0cd2e8

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
320KB

MD5
11d6fcd5779e58548366b4de9cbdecff

SHA1
eb6b48f172abc213f9428a9a69ff47fc38af0709

SHA256
c52a5da3d781ffd16fc6499fa0c997adfce8f6742dc06b09293cd104f10e84d5

SHA512
8440711ea72d3a0391ac995a50b873b2cd1941c50461858266e2c9d2e3eb8798c104bc50625955097d50a679a48102f16cba4248b6ea13f8115c359835241fd5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
156KB

MD5
434202a65f1daa9ced58357b4b1c1d0e

SHA1
5bbdc6a6d5e440b8643a911f4cdc74703a9bd6c1

SHA256
8106efaf274a6810f11ff5ac62eb1a0697eb48fde0bc0578bafd4e12e9d119b8

SHA512
c52cac923e9de1306de86e6300c853472776f060b3375e58cabf0196c817e76f0fc964ec468699726e53e19e74fb682f83b141b8fbcda407964a0ed942d06046

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
648KB

MD5
21d8a01a99684650c11829b0893c8dd0

SHA1
9e7eb319b8ee14f6e03f45fd96522e9f32873393

SHA256
ef534cdb41c97fefc0079bc47fc23bb6efebdf2b2841887b6761aed495958c52

SHA512
784656775fc396314b740c8d77b0a8520ecea01df502d09047672a7e262814effec7cae2e43c418529db3bb41d0f548a95dbb77e80c8f5550ac18aa9c35d97c2

Download Submit
\Users\Admin\AppData\Local\Temp\_MS.OUTLOOK.12.1033.hxn.exe
Filesize
66KB

MD5
07dc8371a6dd60d9656230deb9633f8e

SHA1
d913c130ffc6a5cf6fea57e10cc0a52a76468956

SHA256
3823dc536997eaa98e56c04335b03032d9c7434f66303b02664b27984b948608

SHA512
73a10c5eba71f66f91c12e7d2c46b444fa23f1494ce41a00b677e0160dd2870623d157b8bf39f670881f843a6d4493c4d828b34945c2fab57b97d1f4cf796b9e

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
65KB

MD5
df6e6219019d480111c2ed04d8f3952c

SHA1
2322e56b7cd6325520e1e5c9f55b3b022f5ba226

SHA256
cc89c8b9d314ce51f75ac50480b090efd35c6b08539e408eeab7ed268f04b30b

SHA512
9a1d8d0d715ae6b76cca008b0606464209430333570265d1e0993c8a359a03b09ac6035c79cc242f6d11486b3336cb7063b75e643ac0843a15bbe106c9081585

Download Submit
memory/2748-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2748-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2748-151-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/2748-8-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/2748-187-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/2748-20-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads