194991a3305e13f356444f88e74844a3d4da65b9419f8a105ead62697355b82f

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
Size

198KB
MD5

fac1d6c8a406f2fa03194dbe54bfc920
SHA1

f3259f09735424d2256c42f783d6f162f8867f66
SHA256

194991a3305e13f356444f88e74844a3d4da65b9419f8a105ead62697355b82f
SHA512

60c6cab29209a91d8cb7ff6c90acdef4de4ba5fcd6f9b71249817d3e518c181734cb27d98b97aaff6096bcc70b46551f9c8030fc7b4691d41bb079986ddb2b58
SSDEEP

3072:6e7WpoYvHYvIe7Wpxe7WpoYvHYvIe7Wp8:RqySHSrqqqySHSrqG

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3663) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_Print Management.lnk.exeZombie.exe

pid process

2240 _Print Management.lnk.exe
2576 Zombie.exe

pid	process
2240	_Print Management.lnk.exe
2576	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe

pid	process
1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

_Print Management.lnk.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	_Print Management.lnk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css.tmp	_Print Management.lnk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp	_Print Management.lnk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp	_Print Management.lnk.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Java\jre7\bin\t2k.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css.tmp	_Print Management.lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js.tmp	_Print Management.lnk.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp	_Print Management.lnk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe

description	pid	process	target process
PID 1740 wrote to memory of 2240	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	_Print Management.lnk.exe
PID 1740 wrote to memory of 2240	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	_Print Management.lnk.exe
PID 1740 wrote to memory of 2240	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	_Print Management.lnk.exe
PID 1740 wrote to memory of 2240	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	_Print Management.lnk.exe
PID 1740 wrote to memory of 2576	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	Zombie.exe
PID 1740 wrote to memory of 2576	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	Zombie.exe
PID 1740 wrote to memory of 2576	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	Zombie.exe
PID 1740 wrote to memory of 2576	1740	fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fac1d6c8a406f2fa03194dbe54bfc920_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\_Print Management.lnk.exe
"_Print Management.lnk.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2240

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe.tmp
Filesize
198KB

MD5
4d65287576d4646e4eaf9ab6735d5a1b

SHA1
1bd66e53ed1612b024faccd494dc68ce2459b993

SHA256
b8b31ec2bae67d7b4596a59a553bfd91d14694d0c2d1796086080fff861fa581

SHA512
238f7ed118155b1df185f12e05e8e7ffe3a54c847a80d2ef636a203bafab4016e409431fafaff6dc77d594042fdceceec535dd97fdae34e9e414af70be1eba08

Download Submit
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp
Filesize
100KB

MD5
5e179863f36e0b1c4ecddb2c713ef446

SHA1
afda09c7e2f67e67f6f5dc932db352f7ef886008

SHA256
28831cb858c4a3a8356de09b653d10513fcb4fc79498bb34b0cdb3bc65033576

SHA512
2bccccde4a5084243d6ab2e3e3c9a4b36209c3872377b6e3053fc4627cd1ac1fdf5adfbb27bb35657f7fca46298e2a39247d8143f2707f6317d42c6eac707483

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
16.4MB

MD5
0f497f679823c666371c71f4b2e71d23

SHA1
506abe2fd2b167fdefdd287872578d7539c27933

SHA256
5484ed5be9d3aee14a41a307ed35d7010519024b45587017561d67902456e0ba

SHA512
ba3329f239f65a48fc29d0e67ca7e31f3332101cf020af7d31ea0935f03ecc41126f9cd5860d87621055749b4bf521e464d8002bd282c88ab6a6197c87964778

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.9MB

MD5
e9f48380a2100ee3ff5bdb435739953b

SHA1
7b6bb5dd2dfc47a82324a16a3420866d866d8075

SHA256
58d945849e054ba0ab5ebb3e31f058ae9f0c6be58244b83c8cfda93c97235d83

SHA512
a52557f86c51d2a1fcd34aca1fecdae45c3213ec0775d4b0ec145354b27c152109a62bd04a48f9e83948371a4ac4a7b0429baf473b2efab1d58d2268f5844b8e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
b1249c09ab2ebe6d879747f3ba787281

SHA1
b66703312e7bd650e575c65b3ce2ab69d3dc7629

SHA256
ca242706475703bab73b618751c255177866d2b6663fc2f8e5b3397c5b9a85c4

SHA512
874d1decf7310f6ecea003c076a278decf11e1f6e269d592e8f1a7d31ef1ceecf687fc455b57cab83554dfee291c82a3f28da93945080274d6b5c5538fee369c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.3MB

MD5
7e980a3cf7bdc3444366c0acba50fa78

SHA1
a9028c63d4c2d9bbee5c6eca107e9bc1f615ad0a

SHA256
ad9e0c6fd9b46568353e0d44da7e9c4f93389dd899592ad4f1a1495cbb4cf5f8

SHA512
e992f099886db73a5e81542b0488ea60aa18e0d872380ffb40330731a30c1d2615ef9ad92658f45f5b1b15d741f45c86169b0f4b32edae453f694726b6195507

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
3.5MB

MD5
04ea5ebcb1f99060278f550b69effa41

SHA1
f2920258838fb8c991781127f07675cd413012f9

SHA256
6a8e261ebe35fd0c0619d0e1d3a19a809e80a5b8d220e44935b84dc5248bb74f

SHA512
7065e023d617bfc73797a2ebfc348c79b448ab2d181479cb325edf226bc9ea7aa7aeb40a20ea4818fbf6f73e93e974aeea196a976f4a9935cf1084dd2b2fb588

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
246KB

MD5
afc023b93eb60f4783e3423a4939506a

SHA1
f3fda92e51c030d4d829d191ecc5ebd2737497a7

SHA256
1d825f98e8f155624ad0e0b2edc2e46c88081834519b92f58dffdfdc47e0ce2e

SHA512
01e7478f9883a734c598d494d1e1d0abc93f8920616ceb1fa5e44e967db9ba287443355e8a8552a698d1fd8cf67f91134949d88229c208a39e7ac7f83fabaf94

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
3.3MB

MD5
fc3f666814413aeb56afdc817c0aff00

SHA1
ac4c08efa7e5c231e1b7aba1596a72a5bdb0638c

SHA256
70b3ea5d819bfcb73956cc4c02f3f4c8b385c2cecf28c46fc5f37ee48e627059

SHA512
0b782784b18be7671260d97052d1bd7761e48b1ae0f44ea992e4f2701f4ba5e43690904c9f5b1f8fc79c34e076bda532ea605b65bd1a69ff63459719291b78a3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
797KB

MD5
190e24398e1749534512f937116a977d

SHA1
e9ccecb81b9ddf915b164cf85b313026d7760f92

SHA256
fa9910437784a8fdaa8f2031b40f652e419701d6c977d1ba1cce230c175dfc84

SHA512
60ed657ad5ddf1d5070646dbdd4586abd801b878cf5298e0caf8a579ac8e524067a24dd18a13c641c6a4293baa1c77174f96f9f8cefeed686cb5263784b96ca0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
7960727420e3641372624e2ea0b50566

SHA1
d162b8d9e14faded138b6201511bdadf02a82da5

SHA256
2b1e6edab11b8cea5ef72abe06ef4fdae32abdb096ca94f8ccf4b20bb4d43c6b

SHA512
bce5358b5206c9d0fa6ed94c6ac1bec33155c005f6ed7edd9068bbe910dcef5571460e862ac47db7a3e183aae09605b03380cf82f6dcdcffd772987ca8518985

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
3.3MB

MD5
c30f1bd02ffe22e193251660ce5c71f4

SHA1
3380ef16bad06a16392685a115662daadcb72bd4

SHA256
f9fb8413ebeba10cad69cfee97480c0fc0e40fe213cc47f845ccc0ea575480d2

SHA512
916f13f52d8b2ecaa9586b9276caeeeecad10659d8a11e1af8f6ca0fa25bbe71500c56a01e7a2bbfa56a1597a708b034efb32056c89a8bf389f20511f9f5b102

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
3f0ee6cb62cb2c9b47e873c137fecbc0

SHA1
e22423e64be6d4e33dba86fa653a2d3f2122add7

SHA256
3ef819173582ccbc53f61d7f538cfc527daa48297413e8a49fb9ba8cd23c8ce8

SHA512
8492c9679637477d10b83014dbced511a4e36009afa36e2d7b868aab2236c11e0cda8ad9e48874e48011b7dd632298857f5c4f734cab8f466d38011205d2b400

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
e5bbdedccaa0f92a3d5b4abfef108681

SHA1
987f8c6595ca984f300f90f986aedfd81bb9de13

SHA256
adf41d4d5ef81ffabbf6a495d7b85b758ad0821650ef830822f34caccd3d3d46

SHA512
d7a2c453c26eb320fd9684478137305e54d40c3870156bec124a924049f00eb11c9f99f918f118ebb3fa2e7916df75118dec4832496a5a00480494df45f1dbbf

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
b4e739128cc480e8b631b54ae3ca5cce

SHA1
fb8b961eabdd3c661eabaf6dd7443bd28ff599e6

SHA256
17eb401b42ab86be4f9d79bf2d9f1c716c29e2477a4a4c903139b55d6403eb06

SHA512
224c89e8efe2e01720233f1c4233f1dbdeae4f7ff9ef884eac8d01052ca6d64babfbca546dfd8637082fd26b5d5adcc1905c0d80a5a5fc59083cdaa2bf46e649

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.2MB

MD5
92b9429d941bfe76dd2b151effde5106

SHA1
859537374583bbdb16d1db3687286f306342e0ad

SHA256
02ab94fedc0db514a555874255f64aed6664b79ffad7ea5d27400c3eb87242ad

SHA512
e695833848579183ff53d2285d6be701956c3ed84a3be01e3de91e3a91eeb804a2ef661386659ab4a16e28b753dded47e15058498c79d91ba1a59b94e1c7d9a9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
8bbea483948f040ed46a8bf5b54cb8ea

SHA1
c73824c2da3bf48c09d4df158444248952fae243

SHA256
56652530a4f8637113621f7e32023b3ae8594b72519f19cb973e67a35dc55222

SHA512
3a427b5585592295087b97b471d4b42305809e6c01b2fedcd393d5c740c1ef79f5fd3a51274a404619dec8bfa0a717be5aa1f492a21bd468e7f78158c4931489

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
102KB

MD5
7390fa5c8643d817de7a90a7f382cab3

SHA1
dfa5ca921f81556124e5fdf5a5060474652ca902

SHA256
880d3ac275583cf467542ca865c03310d5dc46776280c6898ec22a955780456f

SHA512
e248dc7cf041d4bfabdbca3f7c4a049216ce3b0a9d88932279a6c694058a51a403fecb335a174a194228ff39275fab94b6daa7ee55797cfd8cbb5f8bfce5e479

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.6MB

MD5
b1b056b1e9f6f29d9df5296b0cdfa0be

SHA1
910548e3ec0b6915dcf457fc328e7cbfb930e6e1

SHA256
12ed8e4f639f5db61bb4bcd586a572e06ff85018b45bcbef8223f1814972a9e1

SHA512
dfcfdc73b25344a57d54df716344cb4571ca8f307004dd2263fc01c1d787d0a77e85baf09c3323b75e7c6b3589c0e098ce730b1bece6fa75e2f513708ddb9ae4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
1.4MB

MD5
957a2844654f6779b0d3e4c619838016

SHA1
7619de9fdc44a70a29642bd78c2f408fd71b5b11

SHA256
dd5e18a79465821d2d2ebda0302ac73555f5cfaae927d61278a2dd0acf9d3856

SHA512
6c99f1a58e6c75e5757ecf9347c7ddfe429b6d813e89aeebe5ad62ccfbefe43399c46bbafb84a13328f993fcc417ce1c5a27ee1f5ed81c6b9d8608d201c48ebe

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
739KB

MD5
35baad5720e975850f01187331b76c9f

SHA1
621a23061c982df3cbf251b850964cfd5c02aa8b

SHA256
fde2181d967c7fd2f72f8bca81535ee2974ec797a1aacc71470915f4719c3f63

SHA512
eab79145815b71538e077064536e5763759be205dbbac250d727d79a97e4b0b77db631e47e176b814d7d079d41c44cf3dd65e0f8e9fa94c1c5e159eea0bd7d10

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp
Filesize
102KB

MD5
c9007aca1d81c83479d417a09189366d

SHA1
735150ac684a3186f4d136f382e5aa0f69ced86f

SHA256
ee41f067d1cf297df63655524bbcfe575a9867feeed67a672fa26aecc7dd06a7

SHA512
349763b4cbe8c3dae249ac75e2514baae915bb7155387b85e87f464ac30ecd0c2fcd81d72b9ff8651295781da5fa3dd0f7856dabc45a7e0614b87b8f86e42a63

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
96KB

MD5
cdacb04e02ac9c4c9ea18a4a51050eff

SHA1
f41cde176ab386035b474e1bd5bc698f43546f8b

SHA256
7d0c1a7538d9cd02eab9fa53d05eae2977d9888d8511486117d87a6f41c72c8f

SHA512
00adb2f46dd294876631a98720b05f0810f3be6c7e281676c9fba778847d3b7cb8c91d169905832862cffae53b6d964b890ce3be32bded7c4673ccd6e4b12654

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
104KB

MD5
4cc2579997cc5a39a37292c9f524eec1

SHA1
e2554dfdfec7421db822ad7d27857df921988286

SHA256
8f6d7737758061d1ed0c06a0165fadc74e1f06d785928092b0380c1bbda7ddcc

SHA512
1f70dec2f9304c564c8907eba57daf6c7f8a013b5398c759329f8298dfd9c568ad70774fda6a3d4f21dc7a1fe31fb380c139088da1ea780b954961f53f00913d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
104KB

MD5
a28ad289311a9757c7934998d8e9c0ba

SHA1
e6d1309a1e49a520977979ced52b3c4416c70204

SHA256
aa18085c97b4dd10a947f63780563677e03315f7d2c593f4181d03d6de468b66

SHA512
57575b4c5869c0a0887c36eab4c120f878648acf7ea534a74315e058a7d73c27f0ea725d1b754e91eea4716cf4d9ddfb6187f4e64c9fa6068008bdc6112bdb81

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
19.6MB

MD5
a2d1d9cd19495a8e7b553608e0760c93

SHA1
9d2a55af29385d0a329cb99758424f8070142976

SHA256
3fd0f2156216beca79412b40e1cc86e786dd16a2e1ecf325ddac8f915a5e8c20

SHA512
04e81588afd2bd12e261d4a09bbf90cdf51068de93092083b080e274003ed363e73d6e8a6bf316597a132df9839e3444aa667753000f1d85664be2575dbe335b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
750KB

MD5
8564219a9f1656192c826d625c495a68

SHA1
f323c71ed98dd9a0686848b9cb7659029811cbf7

SHA256
f4e24be1816ea5c786cd128a4aa527da99e26170acde2e658d6cae92f3223941

SHA512
b7891968a13443e073bba72dac8a2df6d91b0eae120747d3ec5d52cb84418ea3d87bd1120cce027cde11e78994b0e6f3f674373e566f65460104d724aeb952d4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
733KB

MD5
4616a9455f4eb12fea618260010b93fa

SHA1
ce56d017b136e7578bfe639427535501eea5dcab

SHA256
05540a880bd2e0e7e2d5ae577d9d11a619723ff4d6a3ca022b5df16dd261211a

SHA512
b6217bc250e837d4bfeccde62a066fc851fce39b0c484c58384dc20bd8aac636e0619bffb753c04f1690d09bfb9f934a3274000f4313cfa3178298e5d7ec72e5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
2.2MB

MD5
79880a2830215ffd7ab2f4e4deed1840

SHA1
2cffb21f81086da5d80b21d8e77ae25254118faa

SHA256
0bae685e40c13d5ccadb3ab08e088c8bae3454b32eab81d8dd51f6be1db00571

SHA512
9960461102c40be6ba56a29fb97c40eacde91c4c95356b268ff34e6fcd2c8270b7decb9be7a4422387ccafc560b46f622d863ede01433f61917f50e1175b7faa

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
8daaad9fc603ad42945560fffa640923

SHA1
34a5ff9481a38993f0c048ba0155f0df474045bd

SHA256
ee56414c81b7afd0a5e3946c0192a0d0f6a850e09bf65bc40fb7b6749080b1cb

SHA512
259b65db727bfebbb6ca7c693a2d2541f490a03bbdacad4f5c7f8b7a9eaddbcb1a53aaf466a89789ea59fac8b19cbcc56352397e906f4958700ccee6a153825b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp
Filesize
102KB

MD5
09587884852898227cf5136be02abdba

SHA1
2ac3ccad57cf48e82e4e1b77772f834f343f1559

SHA256
3dd305a6905de85a5434185b3645016607614a92ee91956a29de5741fe09662a

SHA512
ba672e150fd03b1fd31ddbd7429627fb888af54da795a0c2f1641a475a1c9e95cadcb17a0ee5a654211e65e8ad5cd634ddebed48fc386a9300080869d108428a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
101KB

MD5
0b1023f72a5337beccbb867517b184a6

SHA1
4de5573b2a9a6b366bfe9c75b93543457feda70d

SHA256
9b174c40f1527d600033474f7da69bb705e1c7ef03ef0b8dd7b9fe78850c6435

SHA512
e8898efc8b035ed48d6c5450a5c0a64ca124a250169bce1de2c231588f718fd8c54d3947e45fbd1bea2923dc285c81a0d80d0533c35398e79ebe5f907177bc87

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
107d6696fa3992a4c3994cf9e547f673

SHA1
e3e2e77f589e35e6fa0445ff83e567e8cd4ea06a

SHA256
e8814006562e3d8f694ab66a147aa3c2662a4b181869304182f6e424657f27d5

SHA512
d159eb18748160c023cc510f5294e2578e3f4ee8ed77fde1aebf84cf76f00e9fbe8bee94a500497eb8e575a22f7b89721512995461718f084eaba5b636012e2b

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
3.3MB

MD5
cf6a0ef95ea0ec9cdf6bb946b1cfbd5e

SHA1
f53635841090e62bf36f87fea11c93da9f1b36e4

SHA256
55b56dbd195e9f7e3e3d3334d677c40ae91a29ecc651772f186d012277f4b27b

SHA512
18c4a8ab652ee4494d0de9a44b4dc35be44ee79cc8184abff6690bce2d4890c7302e25a2aa2966d48029a1ac5ae2e76f866ebfef7bfb4fe9bc622553ddcf4672

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
c0fed43271664a29e0da4cf7ab401c1e

SHA1
821469cf4f458a4e53e4e8082e80bfb7ec8069b1

SHA256
b8b75fd64bade8030403fbe89cb87196648ca197379783de59033a3c4717b819

SHA512
b8715624120f0bc0914c2c312a1450fbbace52c4ba53bd4e9c002ae75a10c284ef5a29a8d13b00a961ad315f84932f0dc6a5f8fad0e4ad41aa151eaa1c16f4b7

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
5430689a93f72d943efb4197f6ecbaa3

SHA1
3a85372f2fa9d93bddbf3560cb336037e473ade9

SHA256
58c6ab3a45383413ef336ed6b38d90d3ce0ba3d529080a7487521e59eee3de5c

SHA512
f48d96ad91fe52b21cf8ba49db9f986e08a7d7374e74983da13084df7fc88c20242fd6dd019ccdf28d134b6a99711aff0a59f75b0e788c619917b3074797f611

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
203KB

MD5
b73b227732cb65a02a2476a2bea60934

SHA1
484d73f371e688cad41371ca0e3f0d6c6f7e99ca

SHA256
b3d48beecd1e3aecc7e62282f5fd4d0b2a6cba6e0804fef8e04ffa95af919232

SHA512
9642f48f347aeed0782f7e25496fbe2f8dfefd6614f5ec0dee5ab30b4bed48634399298c5310c34ee97e04ebdef8fbb30f9906cc7c5f72536c0ff380adfb9feb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
919KB

MD5
847119cdb4224fc7f4abcd7f3661322b

SHA1
0b85d7b341c027fa7e85cb30c3a59403feda80ca

SHA256
db356f2c227b252e29f80e2ca8a52982a6dbee9554ab3fa4125defb35110223b

SHA512
4224f4c1e469114703c089c6034bfe40ba1471b5718fb56823f49bb8d1ae5e69adaacbaa31970cc4fd344843dab62c37cdb8f3a4042e3daeaee1699d72bcb773

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
11.5MB

MD5
90394c5e1fa34e32e82cc6a951b969d0

SHA1
f532cb1365de3c69e624301aed564d278f763ec2

SHA256
aacce3ed1de345e1fe7b1e1f017495e5b509615f30edac26c61dde591297da97

SHA512
509cd2d5a2a647701fc4cb036267c097e66f03ef77d9e9e8dd1c410b10d3e687d687f9f81cc918b6a9c8d794317e17bfe5f649c621f58af05363ca9113b9eac3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
3ac03838f2e2cf3aaaa11cd657eb0e02

SHA1
4db97f3badb6d35872a75a96e28eed7666a9c548

SHA256
571f48b9fbce716581089b3b4e20dafdb639235b9edb99ff424fe4dda6fb94ff

SHA512
0e56b5ba96d2c093f6a04051df9d314e53dcb4646bb16150811c15ba36416ffc7b9a116dd971d50a8af44145965dc4fb855362dfa8caf5698a26aa494569f853

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp
Filesize
101KB

MD5
7a624884876c5799acaf9e4679f3cb8f

SHA1
185d23b4fad5dc658c47c6c5755f63ef399024ba

SHA256
df9e0fe8b4a713eda72b24058153c569a39ea1475f0c866c961c98bedeb4159e

SHA512
f02be8ec94dec3b1a1d82901a6a35dd8438c4abe37de2b407e94cc80f598f3878a219bcf0ad1f7a5479c66d7c62070e28faa8944b11b04e5ca2fd1cb0d5d7788

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
105KB

MD5
d5d8abbaf18db7ba70a192f6bf127bd8

SHA1
cb32c48bdedc4c83a6be7a9fce21720677ce8959

SHA256
2a449f004a24e361f54eefbda2473647975c017e06ef054784111fd37abf7b27

SHA512
abad5068dd06f5b8570e9eb2cf45823db1c2041426b3dcd628b39ca0d3658a35457fd0ae8fcd4cda3f717bc35cc935e09afc0c239e8bc4b26c8e38f70b86a4cf

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
640KB

MD5
fd78314893b2a9b84123ee07cd3d15a5

SHA1
4980c3ff2d93caa4e43a7dd1f54bd2e19356729e

SHA256
30bcb6398ef57eca5f75a0cd4eafca20a610001588e23ef833771c5f6e5b15ef

SHA512
06a7e30670c2a03905f4a0f1096e58b2f758ce7ad99458558f33ca733fe44bb7c68449d572e868ee823322eaf52575e47162bb5c8f364b69a95e250555522274

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
100KB

MD5
4f99f541aef1b493f0d582b28e859742

SHA1
a389a3a62db34cbe2d7c81e604b9d76770d3e88d

SHA256
82c43be04e56f9853ad87d85e1e52fa3c3470601466be6d2247323813543f3ed

SHA512
876c0c1cfeaebf46db1aec3592026f001d062f9acccc55d7f095c60207a5d1821d77770fd117eacd07420f2d475692272fe6c80eb027c39b7817cfc50f8cc426

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
738KB

MD5
cfa7ad06ab97782ecd8cf4207ab0a185

SHA1
c39369cf62529fd48d751acb939b7cdab8798560

SHA256
433f476b27b599a7581d2cc166f11be1343c5a8dec5aeff1499976177a152406

SHA512
aaef691028c04ae1c917336b1492db4887f70ca326ff3a1ee128c2cb1f166d5812260d0ebbab5420ae22c41869b4ff299abb6705861c61d847893244d4b3b410

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
287KB

MD5
99433c3b117b53041f0a3095d9dc4d3e

SHA1
29e2e118ab110669ca26c4a68c051b8655a63cff

SHA256
5f44ebb031d95689bd1e5c26c594f3501bdf0e17182b56b823f4dd17785a0bdd

SHA512
f80b771a30e3883b5facbd9c5dc1b612cc4415678c6429bcf4ea6c53fbc9b42d41faf454837c716ae46b49facf2b895a4d27ce7e1c2e5f285a1be28f0171de6f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
100KB

MD5
99b5a2d1b682527485ce902c373f2a16

SHA1
4e4eca869ec3a2e2c24df0103e5ed0b828a1f284

SHA256
2da4ecc2d823899fcba227bfae50359e3b850a3a98519cebe50f7779bcbc8e11

SHA512
c657f226ed5cd12c95c94b00502a9f37387ff57e37e08b70ee13eb679cbb02890dac51b9b27f4a72abc50760481ef12187f2f1df75a6cd273bc7fd605d20e297

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
165KB

MD5
ab43237876f3eb0824628d3146ca1d3c

SHA1
dfa8575849591c5e3944135e2d15059dccbc47ba

SHA256
6402108fc62122b9515670525ad39d43f6a2460b4516d60cbc158f5e2fca67c9

SHA512
09f7971855978ad1dd4632d68323f3e097a69e71746ba6f6fb89fd79c7e6a652df4f38ed2b3c6495a42639b7fc70d05604e882fa25cdaa5b113a28e740ff0c9f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
100KB

MD5
596949afdc46df0d93e8851a5388468d

SHA1
c413fe553ddf5460205174095be6e68c6faf3a12

SHA256
9ba6364fe8b94b07008a7d61c093c29f2bcfc108998ead516991462ba2394892

SHA512
90464876667f6ce24c883e78e092d50fcaff4349d174c9c28986de20a52adabe9a358ff7aeaee18c6265e1cc2116fe0dbafbe92a294167b83bb534a7a90b2e2f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp
Filesize
100KB

MD5
4b8dcd342e79b5fa2f7d98ff4f985a46

SHA1
9dcabcad7fef592110b6c963ff787de3b0b3c282

SHA256
1b122f88f308b8f454e9322821b631fba42595a48e2362d57733823d5afff7ce

SHA512
40c703a301ed37e213b1b1598ed7a335cf02eef06b33263118658667bce0e40e8d6cf86dbdd8e76b35fb1548f0f51b37497348186563c085fa0ca918e5409250

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
100KB

MD5
73a446d6eb5d565905983ac159a8d0be

SHA1
7e394da4eeecb32d0e1284c6a4da0cbf16f0d73f

SHA256
7402068e18922088598f8eadb98045b3fbed176019ff4f83327eb0704f113069

SHA512
d101957ea6794e2e665ff9972e34906a7e37ba8107e9c3829f80bfb479a271f0e81dc63eb27ccaf994a68a5bb0f100bebccf178cdabd0283488b893822d741f6

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp
Filesize
100KB

MD5
08e2c86102ed53dc801983862db96476

SHA1
63bca5729b93bf571076bcec274a1f3f69a77ac2

SHA256
0ff0ad49fa49a05440e4c412b995ce51bd6f4ccd561e301b3f0e0483d1a4575d

SHA512
5029fef2020ed98e9e730c36e1d3eaaff574fc3428ab065f12bf7b06c33bfb6152f3b4982b3fbf9aa5f86d65ae79b526e7df7bbfcd5ad47150f68a09ef8a98f4

Download Submit
\Users\Admin\AppData\Local\Temp\_Print Management.lnk.exe
Filesize
100KB

MD5
bc6dd6d412376d396d2b501cd187e61d

SHA1
574a43c88547b5e1e5f30dd4ae2d17cb675e025b

SHA256
e8b26f21e03d30981363a87d3c760c77c9e14333a78bbf8d22d79e30f6a6d489

SHA512
e34a9da1946b8ddd5318a34467bb405548b79004d7f9826fcbbbad49cf9d7c01b194c8f55a9c4fe3d4787f4713f2e95ad0763779dd9a19e9b0eee727d4b25159

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
98KB

MD5
3ba979ed5c668de066c068d330a74cd4

SHA1
9ac48dc6d56957585ed05d75c778223c04d890c7

SHA256
039aadc08a27dec4567b8acf502907cdef68a0ca25203101cb4dc16faa7cf871

SHA512
84ba5a1b2847f077bd6d92374b9804a3063d5d6035b9ea8509117f0789c9dcd883956d056d0cbd776094859029faefb5cfbf8de9b568405614d4db00961cccc4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads