8efb55cb779c6ce74ee790e9ea0f22c9a7d2c49060f36f39a2471bed141a9269

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
Size

141KB
MD5

365aad4358804885e1d2e4cb9d2de010
SHA1

747fbfb1e049b082410b47fb39d0dadf7a1c3776
SHA256

8efb55cb779c6ce74ee790e9ea0f22c9a7d2c49060f36f39a2471bed141a9269
SHA512

62dd4c97c0c895552650dc850d251051c181764b72ed4e624bf5101ccc2135344644dbc8b2683d3842678bc43a3a16b7a061dfa21cf12ccbb74b80a7548ca3ce
SSDEEP

3072:69WpQEoTdc6e6kvNDck7Tdc6e6kvNDcksh/UV9WpQEoTdc6e6kvNDck7Tdc6e6kR:nSTdc6e6kvNDck7Tdc6e6kvNDckyUiS1

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_desktop.ini.exeZombie.exe

pid process

2056 _desktop.ini.exe
2412 Zombie.exe

pid	process
2056	_desktop.ini.exe
2412	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe

pid	process
2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

_desktop.ini.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.tmp	_desktop.ini.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp	_desktop.ini.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\Templates\Genko_2.jtp.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.exe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe

description	pid	process	target process
PID 2088 wrote to memory of 2056	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	_desktop.ini.exe
PID 2088 wrote to memory of 2056	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	_desktop.ini.exe
PID 2088 wrote to memory of 2056	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	_desktop.ini.exe
PID 2088 wrote to memory of 2056	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	_desktop.ini.exe
PID 2088 wrote to memory of 2412	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	Zombie.exe
PID 2088 wrote to memory of 2412	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	Zombie.exe
PID 2088 wrote to memory of 2412	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	Zombie.exe
PID 2088 wrote to memory of 2412	2088	365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\365aad4358804885e1d2e4cb9d2de010_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
"_desktop.ini.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2056

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2412

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.exe.tmp
Filesize
141KB

MD5
6ff97091d49ae00731cda5848739e0e6

SHA1
da049323ac42958c363ab8b85d2d0c67268747ee

SHA256
6f96bbabb4adbd07adaf9ae3da2ac4b76164a23dd9eaa68e7dc55485774c4203

SHA512
cc9cd7999c341ccb846a982009390edeed1eeb18ae9c5f34257194d56202a2dbab742f1609316f229b0e08beb5a0a2f851dace5353022e4fe88e240dd8e40ecd

Download Submit
C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp
Filesize
70KB

MD5
5c483af1ade490d52bb7580f38d86be8

SHA1
4dafcede818543fc4302e3b6c97887c8f1cc0db6

SHA256
b4f32e3c26ad003ce4b38475d07f6cc9fc8467739e755ab95f4b04d7584ca32b

SHA512
b075b9975e44e055711ec54a3d8e06e5ca8ea1f60b5892760af7e201255b6163544b0e387f0c4479ee23f07a4218250ce35e1d31746357e50377451e096e97f8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
13.8MB

MD5
5d8c4be6c9dcd154e50140dd8e244e85

SHA1
c8d4b2f68e9e8d7836c4b29621a0615d0d23888e

SHA256
78f92769ecb56bc7dce636ff923c4dbe3d18699b15080efc5f4069ebed882159

SHA512
18cf88518c35a7b18617db2d3a772ef9741223044b856595e1ff2899e0fef042b7029a80fbb067e5578f025d28b32caa96035f15512fb0fb8280bd0d1700188a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
d0da9ac9ae756be0ea969312d6c5cc44

SHA1
14cec47787ef85fec262a3e5bad2fe7d61127ef8

SHA256
2b6f009aa7bd22feabb501061da998ea30e1ffebffa1f03edb189341c60b582b

SHA512
67473bcb3b7224ae547f39183ecdfb6c3ade127071bbc8a8af716e484ff19df78de9faa2f7b8101021bbf6ed345d73dbbddc693a88a5a8c404e771ef68271c7d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
104KB

MD5
3d2028115847dab0e78d9c0f2bb8e379

SHA1
51777afc634859b4086a4347c3cf6c0d5a35a8bf

SHA256
0d99a850d9ad69c956eddac1bcf28ef095272a04c1b1d0ffda4df266b254160b

SHA512
a96d7f2aa1bee26242a0202a02a10d1a7f98b3548ed265e9134c54c9393fee2be242fb77f69c0fc3d0ca258294c87991051c76b81943ca28df92838a3b873364

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
216KB

MD5
d06482927b209a15e7a068063deb7cf4

SHA1
1701ccbea7d6132d0cdf9f1768802b7c066c371a

SHA256
27d39e6777a23401b05eea1b029ad8fdaab9c6d7b0c9f6ba00ae71257485760b

SHA512
7ea35f37daf39fc62c9615dc33581c6e58c6481f097094f5cfd38bc181ca02112fd221f643f2efe7fd0f6657bbb018aca5d1def6cc66f6552221df1104e42380

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
bc8a6fe39c95bb641e6c98185904127d

SHA1
07c016c59cee1454a1dcf92533d15c3d9304f3a2

SHA256
832d584ed01aec042e590dbdc05f315a94535ae8ddb1171f5649cbd35138ed09

SHA512
89b086549d2b9afd3d0167ed6d67846327d7b2783990b13add329ae2e437c8618f1965909f4096afc5ec39c5fd77e7e0f10d417e74e90bd0bfcc2671ffc8e7b3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
95aba04f48dfe704d318fc5863bba603

SHA1
2165ba0cf4fd8c108342e0ae00944d54fe53e4ce

SHA256
161afdef59e9d9109222abf94406bfbf455bb631aa59c496ccd907bc43bb4755

SHA512
244f1bab738dacf08f3813ebfaa07bc0348eba15dcf86258ab0f27c01be3747932da5353a8608c4afb30b94ba9367f0a7b70addd7b70dc7f10ab8f91298ceafd

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
2.6MB

MD5
c707e1d958499216f2545573b302d70a

SHA1
b015d2b4ec9ad0da6ac43a67cb4900cd57055f09

SHA256
ad28588b2a78645256277b447c378b9477b16e67327aee5caafc46a1d15f54ce

SHA512
c31b39884453e98243ad5654036cedaf11ffa73e82dd9783e73398ded8ac6a9ba833eec5e29bb30ea32921e0e9c63eeff2c6ceb9a8421063a26ff69129a4cb1b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
640KB

MD5
50c6977896c39d5bcb30e98092f74232

SHA1
cf659d65f84158675d5aa4ff30e25890327ffe82

SHA256
5009547dd7c9658ca434e257c249249d2623278510dafd61a9fb1fe73a34168d

SHA512
6e7d803b3015173ef79c8889eb5556a52d848dfdb1d97f87497001283e074772ed6ab0de929d2aa29404ffc3de317411f34e2895c3c498af7f3d85c90489f476

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
04034eea24cee8b5200ff8dde87f4a9f

SHA1
c4845d871b226aa4b35f3c8fcb353ae40a6af5e4

SHA256
1e7809ef0a61090da3ff44d62ba9f760b0ca69c7db511d81342ee52d9c1ef18c

SHA512
16bfc36c1afd184b578cf9dcab1302398adb9c803a22202459238a8b8d259c237abf7b476ab8e0f164d0c215dbfc75a2bbe1fce87871bd80770010024204bed7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
848KB

MD5
e2c76d78bb7a9911399d7000b0202e72

SHA1
87f2af88f1e9d3edf2b76dd01611bc9dd2a73e59

SHA256
c9aea93266f0ae4be0a8481e6bc0ac0dbbe60d1477bce84d90915b489c4bbb69

SHA512
33edcc21a2713d17f5a1ce297f2685facd8ed75375cf94b9c806c54bee2a37ca31c5738e1cf35f4681bc3c447f4b8400429abd3c6ec553ebcb8a10adc9f20978

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
6491e0a93be15a3832d931188dcccd9c

SHA1
14d215e6383c478f77a992f4d5dca8df25be456a

SHA256
e25c6004766ccc9ee56c526de59c551ecc5f569e291a27d15d49b6a9d5aba147

SHA512
7dbd531c0ef813dd546e48572fbac58b4a6d60e52a53f66ad47baf8708a93db9a7a158591356b2b2acf01c5ab4013a01902d0a8fa7c9027d196f70735f39b7d2

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
72KB

MD5
782263e72e0893e5ad6ce4e37f21eb77

SHA1
9bba6389fd46215c4e72f59f597a252f8e61d83b

SHA256
580c81df2640f45612b8baecc35b44cae98b9d2d03b7e4c470d8a5603995fa7d

SHA512
ae2ff573b28eff570925fed9911b9ce28839558f3443b135f972d05112f4ee8518c6013c75c0546e5fb81059d4ca8ea036e289c9bafc3b6fa7f629f63c471f9c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
3ddf066fbefced720415b1492ed69776

SHA1
9baaa118eeff8dcdc3d2a048cfc3a8a3b17e25f6

SHA256
457835d9eb8a254943aeca97c2d33bf618c02c8a3245922c07bdcaf4475aff9a

SHA512
a56fc1cec2c44c3e338ed0f77402b538e2fc176ccc6673477c0a9746fe4eeaf4ae40ef4425507d98c79f07287cdea3d0c46d064f5decfeaab65490d265eb7c82

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
75KB

MD5
0d057bf599659689aca1c88250c1c7c6

SHA1
07bed100c0d9a435600aec5c81cee34acf1dbe2c

SHA256
4d9167f98fa68a014050b68019c72b55e0a8aafb6141f727fec19eab1fdd9215

SHA512
ecd616af8a608dbf570ae7a6751848964a5abf330602d635ba26237d01e6732353b99862b5751e7e5ed5c479b1e2442d1f92eae750514daeedcfeb31536a7df6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
e90830bd63096bcd9de387e23cec200b

SHA1
0d913ec363bc542b89f6797dc825aa8f4027192f

SHA256
e2ffed8010a22a11c4183726afc630a1ced5e9dad5564ba045cb188f0077fa20

SHA512
5ba5354982f0a5d685be0898ed0d4b158ee7afc06b3323707512510a5fe2d68669db595d4bce21fb2234d79ead638cdfd0101782f9ccde2860c37c17ae45c895

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
1.7MB

MD5
9e6927e8d90d39ee27bd1702046fb8a7

SHA1
df106c6975fd21780a59ed502f6c5dc58bd47785

SHA256
31d0afbbe77459aa8257068fd25a31404a9b8ec9c58415a50d322ac62b753e21

SHA512
eff489e99c63aa48dab408429d828faa9154d715218a6820fb4b1e19ed3ee5c84bb20cfe4406e72be224a87638bca2006e1f3165d44b5c40303af20f9683c091

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
76KB

MD5
46ef21839903d28c067720b3400254bd

SHA1
91b1d12256ba3ddc3295b86dd91cbb6bf619bcb2

SHA256
d7f1f52eb5ea1be36650d010fa1a7fd9b758779dc1b9f73254679ada5e8482c0

SHA512
543f6c5ac4f27f4be4b936b197cb0cfca1eecd1e81e38f633ae37f7ce74981eda2a548599ea9a8ddf66a19f079e6fbc1d2f438d56e33bb65a0f8159fa44d19d8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
712KB

MD5
98cf57e74c864925641549bc123f62f5

SHA1
51b0336873b4f4366553ed1e987206ae69d63fc1

SHA256
6edb60be2aaa2eb8babeac9cabea2962c03f08432a9a18df745f6f62963084e6

SHA512
7da434f7702cc705cd3cf3307b67601f8eb525d5880d25b52a3d7aa3ba539590c565ba15a8915ecdc8e7a8fc9ffb6adcad0c30b84a206e3bc0bf95f92cd9c116

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
104KB

MD5
cb9659fe8a99a7109d8860baa736e097

SHA1
b60467780e501ebbba7e602e00a815fa1ef9cc22

SHA256
d08a6ddc713c3bb226af287dca7fb5676591c826f26287e00bcd1eb236622434

SHA512
4306b1c98aeab4aabdf36d595b6e00e5959165c871af8cc8dc1dd9e085690d5d519ea2b58d4ab05d70fcde4bd918609fc82450f85eecc139dd4b1f616b503856

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
5.0MB

MD5
acdf4ff85bc75fe316a7fddfd516a230

SHA1
39c40e4e1eb51deefd1da7af4146f6a8fdbb5f5b

SHA256
b57fa29ab0168122afdfe0da195e2fca935786d6cb1415b3c37f8c3be159b58b

SHA512
d9ea230dc526e360bfe5d6b72abfec4e8b0ed721d2f914780f01d6914c6e7fc949a776068c35193073d61d60114a683afc5b2f89f5407676da01e25ab2fdd657

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
722KB

MD5
494a0e66a80c9a3407513ba4c5630e95

SHA1
87999c3a68fea85a1b7db1cde8677279c7862e99

SHA256
ced35affa242cfd6d3b997498558e939805232ebda288bf2ddadc84190a1f5ad

SHA512
e3043dc934a4b0207b87ebf45c6408093de2d58e212e0cb7e5d0ac4e19cd9dde955d0db234e05f4f7ea2fc08b232b983dfccbf1c90025d3078135efc329197a4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
705KB

MD5
d043793f93ed89429777b5b6fae5aa55

SHA1
fcf28f386fd252ec4290604d9f0b0ad68ce471ae

SHA256
3a9c16d25bcecc37aa14c55e70136e5acc13e4d265d1b07b14ebb3bb117b33e9

SHA512
d933c204109a46849078ce3092d9b448b0f125a05d62cb47ef7254da85619b77cdceacdbbdac555869d53691cf99b1695915960967e3f1cb2b2e583bf9b146e5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
76KB

MD5
9d83741b2ecdf90110465740ce0fde9e

SHA1
d0e836c62cd5c422c2bff55335bd2171c82470b0

SHA256
a47f986d3661b750313ff1f0015a2e9f0c7a587fc4d7bc88413c392dd0d30c7b

SHA512
5fd73784f01916d7d7a820994047f0f2776aa5f6be0ffd6ffcadcaa5587e759d292f7c2e0d47068414fa3db0f3ddd4200b30979b8522ea0f7694b7c50801dd19

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
72KB

MD5
f431539676ead2e3d12456b6816ea8b2

SHA1
560db70d3a9e1f2fca6b760b7008e769c0feddb0

SHA256
66de737d2b85b2e8bb8e7e249234c121ce83489e86f765ad589da15a58923bf2

SHA512
139d5dac8447b736c5371812f911b35fd855cf622ae427ac51d8bf35dd9324cbd05a91c750f7b878ecbfbb4c75c78b3f1371eb3d75d01c16635fa40e3078bdde

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
15.0MB

MD5
7f9846752644d675792aae9270c5f708

SHA1
852937554531597e909ad1505bf7f439eefc9126

SHA256
547652baeb3e51c282e3b4b388924ba4413af2a1aec6b952c7a8c2148024a70e

SHA512
8a75150a07d87ae6bf2ec08a068c0772d27fc721a46779ac0cf8ad4b8687877733faa9a1566cb3f3862e9cffe5a54bf15c9b937f96de3fadf751ed144861b2cf

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.3MB

MD5
cb0e4e01659fecc82af25988df3a749f

SHA1
53ef333a5f19328a71addcd9384ceb191c27271d

SHA256
2fdabeb7a5b3ca35c68d53bd52e38ea5c3534bb11c90a2ba257a856cc4447082

SHA512
cf9c8b6a2b86659e0f3a91e83ce2d1f54f81c555af1855c4ee48548b734b2f47b85eda532922da25d08bda55ace982a3fb6771f43c4850fa3f4862d4b152a54c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
88d3792a1c179bf2c6c9b0bc1432fafa

SHA1
d7149204f52f29c0ca14acbdb6e2049b9253a441

SHA256
8f9df826e2b3d813698fb94a9eea3dd607e2f40b2e4d7643621c29d876e25c1b

SHA512
1f519e8ad9ff32d35ac51b4eb3bbbf1c9341e22931f0cf6a573ea4b2791d8662e892ab0901f51eceaecf9087ecb126a654d31e04fead2345672c772b83e40153

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
73dd4a1b7ad190aa7b7b87156851391f

SHA1
767f23113036b51028da80c5a2b05bac3a242745

SHA256
54dfc61175cdfeeaec83542cd1d7c4a04d1ed81e5301707ab2105a056cf745da

SHA512
3ce5d0468399981aaa6172e63a7c842871a013030c6b2858e8a6a5cf961d0a7b3c7523f20a40f0dba913b40202c8773a25557665ae916749f105995e1152a8a0

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp
Filesize
73KB

MD5
31c4204048ecf290e4511dd155179028

SHA1
d681fb19cff8642a7943beafaffe35c0c3828990

SHA256
c233fdceda00108898564701678cb9d30059ffc06a8dc1e822c159395d07b9d4

SHA512
69a153b0f48df195e34c02b3eb66f1c9f9fd34034c94e968385000177e1c07fbfd12615597000be53c24e2f69f671fe59fde6ecfc32973b84cd2fc44a375e013

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
3.1MB

MD5
04963434537e4f82a7d74852cfd51915

SHA1
9af9f315f6a56ed62e19dfdc075e69c6b602fcc4

SHA256
22f1bbed777a5e774c1d088640c624391b59848e2d717b2080f4421da968425b

SHA512
830657e52c1189dd523a59f008207e1565a45bd5563a4ff8182a26f3d3a8aebade388e04e754539b3fc1bcc8887ddea01b4d6c2ef38d63a5b3cdaa4c61199139

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
2.4MB

MD5
0da7226e2bc9c99f392c511863173404

SHA1
36ebcc4031373ad36287eb403b6cc93b4bebceec

SHA256
22a10e371f14af403358de8be2eff4d1b3623adca5544a21c7d777ba4851ae03

SHA512
f063a5980dfc46432283cbe821332040475240e0ed5a9da134d5e5cf164f9fd435b2f787f1988a58f7be43bd771e9b5862928b175ce73a5f12f84c1bb9d1c8ab

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
176KB

MD5
7aafed9686095b310280bac2efbfe386

SHA1
79f0bcc594ad1730afcc450d23f7013e89652ff6

SHA256
51e450ee385aa267572b62cb9e9a8da0dd9ce6174cc546aba91292c664a93c8e

SHA512
309ec671837b84ba1cd4ab175696c5063bf33d87069a0ec024b38d71e904946a47ae1107afba3b95ccb167897b6ddc825c11c77036d87b077253d2bec5438f0b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
72KB

MD5
dca4ac753b6551a7eba958fe277ebedb

SHA1
ba92c1e33294f9ebc198847ed7e33b238758107b

SHA256
b4cf17a26c5f4d49caf2a641ca8c7c76fb74ffe61a5b4358d156269ef01424bc

SHA512
d1520bd1eb4dceff9dd257b20cd83c6cac22b1a57770e02ed5f6b4462e76637e828a50cd10dc888781236f823ecee292a7fcbffde988c6adf9708ea4f4ed7e5e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
5.8MB

MD5
91d3eb4c784ab0e47a95278b67874224

SHA1
af9b413a1059fc236eaf6f6a2609fadb28816a14

SHA256
0e90b35ccad332590c63269f4a58e45d8052d2244cb58a5919c1f7191615d225

SHA512
eb2bc9cb0f4190bf1b292ed731e7d2881b5fda0afd0f225d1c4c9a6460b011148723d08a63ff2fd87b73f38a86f5d61f55a656e0aa057d0f8edb6a8f50d548e0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
59eb2da274f0c91cf165147e46b88678

SHA1
efdea6587160b3d6af2b701e4e5dc5c85cb550e7

SHA256
744e2e68c039320289c1dbdf0e701e361f66daf5077855aece8125b98347fcce

SHA512
8d91e8b98aee5b64027ad70a21db5e5d586e977a5045b969a7492753eec7d322251652f5b7a0bbafa71432d5a5e4f0afffbadff82049ace20b8993e5e6b1dbc8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
653KB

MD5
5cb315e9c8b0414215b35f702f167f7f

SHA1
d2af544da59910885635749c0f72f27969a0aff8

SHA256
2d06903ffc7e6897b32456377fef94ca5b2be4294f9515c427607b668b9acc09

SHA512
16d6895496a20d727d04c26f79f058833a07157d6ea30bd94c7aabe6c9102af688f7bf4cffab25bbeec5464b87d896b21f5b92969bcae3592a02863cd6c2d78a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
653KB

MD5
1243c0ab7aa86e412993cab20b1fd003

SHA1
f91b5c0c1e2cd528de21591e715d5b8d696e6837

SHA256
917c30843b539ef1456f3baf3c94dc073a1501debc128d7e6f292ded131a87a8

SHA512
aaff18d565eb64007674a37c3e804fed1b54430ce7f29db211488440e3dc4e17e3d8c719041294d63ce1860ca8b0b4bb650b4922060fa44753df405c8d2e560a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
578KB

MD5
e331fd101542002a7133ae232a8570fc

SHA1
d7ed29026f9f666f67b6e95208bede37eb1d8925

SHA256
b66a9b4437773df933a8741d388833dbe2af552f4418aecdaf8b6c0980cbb447

SHA512
086a962c33cadff7b0a96a90a50a7baf66b3e84edf4d70f5d3ec40b6a2f889421e02440f6bc862c3b3b7d9a2f37a624c38cd5fb80a693f0cfe58ccd01711d1e7

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.exe
Filesize
708KB

MD5
94bd3c0616849ea7f34e1c34eb0e1de1

SHA1
1c29a9e1c74a63a12103c6d4dd81ba4dbf75bc7e

SHA256
6671d35cd84b6cce921f46aa64f71529ecb89e11c3688c12ce2e79a6de9829ea

SHA512
c23ed1a74df1cac6994416348514c43bab93d6c088c57d27d749deced19073a9d62ff8c43df548e8277f8aee2d4e6c76388cc3fa5352e1e03f58973bf5eff75c

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.exe
Filesize
73KB

MD5
3f2abcc086d9ec7160a4cd0e9b1379d9

SHA1
881e4e94f617b3ab4c01810b8f6c81e3b5569124

SHA256
9a2c5943bfbc121cb1e61e86f10285b0bcf33669d9518e9be724883aa509aa81

SHA512
7e36add5525a6f5861c725a58409b4517d2fdebca4087a9220676ef287bf5be97b6859bf179f9fdfc205e4888e65ac6a629a1b1b5c9451a7cea62f072c98965f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.exe
Filesize
705KB

MD5
ff954ffc56d0e1cd84485d425a53434e

SHA1
4b2ce093fe497d49d060ef696b7893c9e6639610

SHA256
99d6aef759a8469f7e5af0250f1a374eb14d8812576057dbbd40671230efdcd8

SHA512
660f6200ab034fcca268fb2c521888238c129134651a57a167b47ea6eadd5d3eda18e08054fc88ae77bafdc3ca797c173adeb0f804ee938de4c5365dc6992934

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.exe
Filesize
71KB

MD5
349a0b9a4aaafbc866faf14ede3698e3

SHA1
2c3955ddd94e31ef2de06605147eea6b74ae9dc3

SHA256
55778f64f7fff1332bb032dfdb3c7c733b25d7ab6c33648907581de79bdfe252

SHA512
c85718212d51ca7f225f6cd6c9c7df55e1c0e2b4a9e64a21df162e987e90d89fee9740a90f9414a4484997eb256abe7fd1ab349a7d5a6a14fd6def2742a6c50b

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
Filesize
2.4MB

MD5
02b2f35b521502f20d81fb109e3e5126

SHA1
a8e5091a5c2c1128bf465a0bef7c9deb9d1c6648

SHA256
156afe1dd2f0a81f3855e5a488b8f61b23140f9b8786919482fc81f9d12e5588

SHA512
797823de3bb40d462f0adf89948af328f57ec7550f4f86380f13309e32276479a68dfe7785444db7816f23ebb5568dda00915fc4b75e0a649dffef7271858832

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
Filesize
1.8MB

MD5
22da476a82e6deeac6b99f0b481bf29f

SHA1
75cb1a4c561b5b69ad2863563f5c0b8ac46da2ba

SHA256
54ef0800a15d01ead6895011adac2d6a5aa08ebe81d1b56aa3c1e205cf7c5e86

SHA512
6f7d5c7bf71162419af465e62992739b0d1a76b5359fde4f3a73660e67eaa4357ed4b8b048c4da3d92f7430ef62a7e7769fd91a812c79d5a9ac87b8059710a6d

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe
Filesize
182KB

MD5
88b6f9d54c3f0e6496f44d5259732e0b

SHA1
8b9e4ed1f28107b3a640416969b29108e679ad6d

SHA256
296429f8f1b922c78a3847a6fc93dfcbadd533d868d5a9ee136a8535d9d650e0

SHA512
9c3a439d1bd1d9b5f8975b53406bcea9ebbca1ea723c865976e3d62768fd961e7796354eabf6a916869e24864235f24b5d964e379e6218d2e4982b33369c98d8

Download Submit
C:\Program Files\7-Zip\7z.dll.tmp
Filesize
1.8MB

MD5
d72f3d90cb73f5e1447302533546a185

SHA1
d7ed3cc2c289058ffa5b8cf0e908a7ec5961e4bb

SHA256
9f0d51a77d9f9dfa0fedc1a6c98a3741bd749e4d764ead211617986944963d90

SHA512
a964e813079b9937c37802396c0caeef6c07ab3a8509a8eaa6d71baf15b36d1d4f9a56e3adcaea1e4b546d80a8ffc31711748376260298d655b8c5fe30663000

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
614KB

MD5
65815ce5d5015da92880c98df51a3dbc

SHA1
2cd4e28bd2bf2dc0583207ad4e8c95b32ca9968d

SHA256
977f81e2f70e6eeed4610250dea4eb5beefa1a2fc6d0575b67eaab0bdb047516

SHA512
3b21cda0f960f5c6d47858aaf59575c6b01424fc45094fc4036a1fa6d8c3e14b7fd1baaa921f27a08028860ecb06c034c9d59b98a04ec0cd17b63c4b26258d13

Download Submit
C:\Program Files\7-Zip\7zFM.exe.tmp
Filesize
68KB

MD5
8a6bc84a1a56fdfcecb1aa9a13c1132d

SHA1
4f532c41d731f9c4ae310c03c0c5626acd3a5c36

SHA256
8834034e7e8039a2509f7c68a14f11c9916ff493bf55151815a142a717af0350

SHA512
c6361f6d0579bbde7a39677a341a8ca801a0f6f3884fe882a5267b4c63fe224562cd6a2d2ee6a3288aa8074381e4e2d341213eb4b33ebd14fa26a5a231be5a29

Download Submit
C:\Program Files\7-Zip\Lang\af.txt.tmp
Filesize
80KB

MD5
92ce77d628d7cbff6d83a9a1d8d2d106

SHA1
88c8fb51bf79acbf0dcdb1a38344ed9ddc070f48

SHA256
842a89ad5d9a5154473f5fc084e70d06c8978585c652b8703849e635ce46eb23

SHA512
a80177819773c5b29672c20d54c5478c62d2186dfa3e9e6186fab183f81921cb6d7557b7fea3a626fd3f46fd73a8ee063cb3ad9debea52486f2643d987e86879

Download Submit
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
Filesize
70KB

MD5
5f06f8bae3d8c1a6d4f751b735958833

SHA1
a41c3cd115b7d03ae9defca8e43ed0796294aa87

SHA256
1ac315b682c9783df3acbcc0694bce3313161208b8009ab655ced6cfaafbea85

SHA512
2305620e4bc1c7ce9095bacbb100268c5c053bd0f2f5b328f216db2ceedd52f910d49c38d5f84b0536b866f47ff8631468a1c16b715d062651917633ca20fd66

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
70KB

MD5
8ec8e3dfeaf97d53cf82d225a244e934

SHA1
f4e33d11941cd3f7d0b11d88d4e3566c84124224

SHA256
cfdf76d0a08e7d574332d84bba86edfe8aead502f1df9d57d848397f60fdf022

SHA512
5ec623e5b4954658500471033c0fc9fdc5abb92019502ca6cbe79ec41886e96de9aad97360a8111f7fe7ba1fae5d01c2acec6f028fe0981560e24c7573a70835

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads