1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
Size

176KB
MD5

218a5b7be24e094c28ffc59f2d37dd5c
SHA1

9c4a3d409a53718c14e3674e371071496ba78fb2
SHA256

1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23
SHA512

f815f6416a2fbbb00eff590e158c2a467122443c0cf59474a69ee5e505583275b7f147f4ee63ff32f837d2ce7c3c2e3878202759afc853d39dd8238a70d6a114
SSDEEP

3072:6rWpcOPxPke+e3fFpsJOfFpsJbgEprWpcOPxPke+e3fFpsJOfFpsJbgEI:tFPxPke+eIQFPxPke+eII

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3728) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_cup.exe.ignore.exeZombie.exe

pid process

2512 _cup.exe.ignore.exe
2908 Zombie.exe

pid	process
2512	_cup.exe.ignore.exe
2908	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe

pid	process
2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe

Drops file in System32 directory 2 IoCs

Processes:

1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe

Drops file in Program Files directory 64 IoCs

Processes:

_cup.exe.ignore.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\nio.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.log.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp	_cup.exe.ignore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\axvlc.dll.tmp	_cup.exe.ignore.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe

description	pid	process	target process
PID 2924 wrote to memory of 2512	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	_cup.exe.ignore.exe
PID 2924 wrote to memory of 2512	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	_cup.exe.ignore.exe
PID 2924 wrote to memory of 2512	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	_cup.exe.ignore.exe
PID 2924 wrote to memory of 2512	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	_cup.exe.ignore.exe
PID 2924 wrote to memory of 2908	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	Zombie.exe
PID 2924 wrote to memory of 2908	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	Zombie.exe
PID 2924 wrote to memory of 2908	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	Zombie.exe
PID 2924 wrote to memory of 2908	2924	1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe
"C:\Users\Admin\AppData\Local\Temp\1aba35511510e20eeb378597e849220bb634efed9778b9660fb7fa688ae87e23.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2908

C:\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe
"_cup.exe.ignore.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2512

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe
Filesize
88KB

MD5
dafa09d25d3ede2b038c2808e0980abc

SHA1
872a320d19ba3f307a4905862396f2a9a6314912

SHA256
b0e5c877f95233985425096f45a406173ea70067acdc93aaae6ceaab3559a673

SHA512
4da453338ce86ad4540fd77a1f9be30e1940e69e91f1098f6d34eed46e9ca7be36561688a7d471d0561df20d7dcf11064a705a04588430a40e5f9ec76720c946

Download Submit
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp
Filesize
177KB

MD5
ca3e74f821b70ad86c161f551e2f30b5

SHA1
3878d4f9e1ff85fbfcbd5de9952ccc9c58acbb28

SHA256
26823504ea9e825b80d5a2c74c50da6da04ee3de12a863bc758f6aa0319c8e78

SHA512
a014aec1c87863e49589967e47e56f7b5b12f12553cb60ca687a244795a723dfbb01950bf99734d33eea9915dcea4ba3f2621b94b7cb132f27aaac8c1e419825

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
163737bb902a21d938d9769507581b4e

SHA1
52ab2f88142a6fe2844241fbc9e7c1c76d3c9e5e

SHA256
d82d6105c0198eaccfed9ab097a71f1948ac187496cfa839a666471165384db4

SHA512
5447e39ab519d45031159fbd4c93d4e6d784fcdb666b85d95cf7b6e4a6760752653f3d29fe83a443648b5304a9d0740d12a3830e3946b544526ba3bc52309074

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
3c16812fd962a1ab713c999208c0fd24

SHA1
48cc99bc4dc200595c440e4b49934fd3f3f3da6d

SHA256
48918d78907232535ee88744f4cb9c9c1bb4c7a7ea65c00ec2a2fd9879097cd8

SHA512
717e9e52b7244d15bf4facd817be5d20486e267274015aa1e857768fb549225fb911614181c6f6affd3cc401f112f63d4940904668d6abe388dc1a5bf19421eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
52d0942bcdac145ad5e7611002df2e1c

SHA1
a7ca5f76e13f8364b484b39ddf4bba48bd109592

SHA256
e3e710c6e4cc6a557a0fab59e29ff5cb9e6e1844b8c8172e1b0f1473d60aa176

SHA512
525faa23277b1af67a2dcd7c664c6404990b3d42518482d1a66f378cd3809023d47d2b2d0e0babba1d60155f782342045eb4c237904f73935aba70459384b1a0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
029afcf6bb9a048c1e3ea7858e90fe58

SHA1
1bec6d2d138a71d4fa122843d2e5d51fbcc42319

SHA256
30c03cee534dd6dc8abd0f988147e15ec60f3279a9ad8b99a7cb9b0b7b40e390

SHA512
5ac90abb8e89cc0913062206a8c4c0c80d50ef74867683711216066e85830161123803697be011618d6adfebb212b1e0c1df3604e889f25a616b20cc866cb895

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
234KB

MD5
44d0e5eb1caef03699b2850b40611627

SHA1
276916129749fe63415e10cc52686cd9cc59a452

SHA256
9706f4c51f180564e8d12713c0311cb706569e5aaf32d55cd24acfdf85a766ee

SHA512
e2919938d3265ac51b94278c43b77d68cf52e74e6db8be50d0173503515a0300761a363daa6b06287c5e2c3d9a6c24dd58679b892a179b3169ceb5981d9590b0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
b1938f433e4cf7b0b4e012bf6ff13501

SHA1
b212e1588d27ac3ea4672bd70d125963aec12e2e

SHA256
52b9f89d749850d0bc63244ad6dea4c053ba3b005d8a5512a87e8bed05aa0a1b

SHA512
259da34591f22b4dde4467b10aa9057d1098fc5e78ee59b141cb0b2634dd68e386862db06de044b39e2d35984fe0298948b88ce4e29e4001337d442181ccfbb5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
1f5fe262b35eacf79efb5b652c46bbf9

SHA1
4d24d125fd81d9b6e50bf0cfa7742978d340689a

SHA256
e4017bcfd737d667cc5b000ed3a03bd9dceaf5b13e2244327aa03ca4e993a21f

SHA512
8fa22946ebaebd0558e6457a9cbe75aab479f273540eb96b9abdb25cb2156fbe71feb58385a4a78c44cecd01ecb50956fe567a6dc8bb112743e0b0f2fb2778df

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
212KB

MD5
5d44a3d2cd98df7ddea0da28b874364c

SHA1
af43c45f0e16e5807be4c584e84388739dfdceb8

SHA256
5cf971aa094b5c8fe3e04452c38e71164058bf2e8bcca9f5503de5d0d2474358

SHA512
26cae21b28d91be9595a84baeb83fd32cda5fc46a17b13ca45f6394709561071f07a8dc3f1fea354bb4e1d070f3a319338d8a648b3f06bfb610282149bbd6999

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
927dd887b8a53eb42ef38f45e489d15b

SHA1
436953c7c015b9630365804b25c15136e8e71a9a

SHA256
9e15021b7ee95a3f9d0af8005302b5f6219e98c977e46a1a15aeb823fcd4c421

SHA512
24f8a17502bd6a1b6dbfd9adec256f827dbb63d673d7f466eef42ff7044c60ade8171404189fdee8f5033ff210a502ca97679fc3f6f84d8a65e0d834d7408360

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
93KB

MD5
abb950384fd6361d2aed760f84ca44ae

SHA1
ee609f0ae2d4dfe9f04db63c371e8ba615da486c

SHA256
fb8c48f3074307313e4884852c6f6955f9006d150868729b6463e4be6b4765d8

SHA512
9643c92a5ecbb156590678a476d40293ac3dbeb67b358d84f80e4c1c099c11e7b490a136b1a717e24c4b48f7c90546dcd2ad2e2215b921ddb7ff2ce79c594d91

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
0f5b0ea1ebd35f0638e3113712ce91c3

SHA1
b655de73eaf234b197ede41eeabc3b6a64c22136

SHA256
17ff6193e22f14b318e51cc7e8559f5f4812497411b9d11c9213dc1941ffa149

SHA512
5debf7b65e9941b38819edb043324ecb4df402050a61734b28a8ccc3f74456e9ed02773191ee49c74c0acb8dcd5dcc63e7022ecbb20fff779dbc65f97ab1b028

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
0861c14fc3bd218f8cf05808c3e37017

SHA1
18bebbb7f873c5242e6a521efb5d34f41a73dc9e

SHA256
4df94ac7edefe65d390b61735d94dc5a9b705b0677a472bc0b8cf82d8aeca29b

SHA512
de39df76f1ab035c6f61bdd1136b04aaff303a26dd0cb9bd406cd9507c792f572e8f51411b8079b7098117059f6e926cac279daf527d6dbc6a4cc245ede61adb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
f0b4d79b190a48ac90da932c530da177

SHA1
266089397e19ce27448070d3e6272cc9a5cc2a9b

SHA256
898cfd38f476cda1adae94480e704515a8cc12f55b099bf7f71b41e8f0f7218e

SHA512
ac0d45d5a2950360c8b4698d71ab22c3b9eb38ea84523df24155b4f7bb50a8bc49060da047439edbba469f3726c8174777962438ac6258697de5ddd39c362235

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
93KB

MD5
564ee80ff87b57fe08bf4fc5c4761cdc

SHA1
8905f8f45cfe456ebf0c200f0b9a02d043edb5f7

SHA256
782b68f289eb07f8ad4ced9b462750d38bd8e717e3bd7843f57350baa62a2ea2

SHA512
0d7f5a52a5a87a52d8c8c13d00e08d21fbe59147002351806a57268a1281a05bfdf35dcd5a0a72608272ea39c4adaf69f0d93876947b3014f3f88c8ee1b889ca

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
93524e99f5bee5b47e664e7ea85cfbec

SHA1
d2421b18bd973676e97b45d465752070dbeb4e7b

SHA256
3094f2d07c7ed5a764e51342f2666c74cdb03e1d0268b96fa08126e35a65eb08

SHA512
c2c1e7cad4157ae9d89f5f1f5cc2d03aa5d0ba1f2219aef733058e450d26655357a99899f2e36835da72b4ca9d334e94f58063cc5e652df8578f6d4cdb601e6b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
adf5c6acbb7a68b7f4460f1c8d7cf806

SHA1
229fcc1002ae2243cd0d308f9a860a28bb9772d1

SHA256
5f2dd5d69eeff427d6b4da3b6b1a637af79579ebb1203f0ea2cc2f9c552835a1

SHA512
a4116f28bb2c0bf85a36726825d5e85cbe029211760267e2e0242ed43e0478da2ea7d627668a8b193512f516cf5d02613346d25367765b4c0f9211f57a657262

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
96KB

MD5
2f97b4f788df03f451f572a6a0f5e56e

SHA1
754c13d60db57fbb5fcceee15c03a5b935652042

SHA256
24a3a0080abfc776e266c21da77cbfb7d99d2a0a87853880e4783536164c72a3

SHA512
971798c543a866f01d97df62cd5d3b682a90fb23eaa8c89f9cba515d27c475fa93c0a7b15c3c9198e52018b88747b47156a175a99ee83b698aa705471a3c0754

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
735KB

MD5
7959bae3834da43702c4d5e0dcac15af

SHA1
077a2b031959f2e4e49f4832d964bd7a85519958

SHA256
e71afb451d896a91da2fbf74978ed85aacc8129b6ec10e5baee2b80765473891

SHA512
4a579a3707e52e170434237be54ce4495224c3038f76c0df5ecec2811416fd71aaadaa48b4e32883b601b29e32b017918a5f95c8a625f5b78479eeab1300ffe7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
19.6MB

MD5
4b2677542880654716fca2d11e093de3

SHA1
b69cd3b93f68274b84b23e27ce96045a726cdddd

SHA256
e0be6ac81f76282bf611031ac7b4a28d02d23db0b0195a3e0b231183b084e68b

SHA512
288d5b2b891566bdedae17bc907e79781c8c06d32fb82b6c4c002714b86ef1f9bdce7404606c623291f132f7555a62ce0b5d9ee34977f3bf75cf674702888132

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
723KB

MD5
90c103eac615f63a09f83fa249126c56

SHA1
340f5302b2ff616db536d5996303307d79cb5e67

SHA256
b21531c5985f3831826898dfe57c9990662ff54d8356b2a134d7fccc09f98efa

SHA512
a3bc2c17c3261d4af60ae43aea10f7123edea32755bcfaf030283cc784e13c652238c919338e91a794eb61e5aa914e7ca01f30784f6c74ec0e6f142bdf0409db

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
3.0MB

MD5
e069cb6c8747899bd6e192da012facb4

SHA1
3b8a55418c727c11985c68e2750abe5bd6e17484

SHA256
e8d534a419a4d48f9b4b8a223d02f3657c419b542fc8245e34fef6b1da163514

SHA512
1492bf30e0ecd0231942097e4041cc4690a1a2c6918e5df655dc028f09634e0e7a6b95a2601936980b96c42210d9c1060686d6e09893c1ddbb7262ace2e54405

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
37d5cb8c2e09dacff594ce0c10f21290

SHA1
909dc80be8c1630cc5d73929a4113c18626785e8

SHA256
02f968348faf1ad1fbd39f18d01257c9797325b3c279fa8a0a847bd55b62cdd9

SHA512
1798f9c028f96e0b838aa3d5cf8812718d91505f49481aeb6e0d6de47a55df00603c05a4358011c3ed69a7d6b960f68fd8d8b45fe9b0142e23fd44974f231539

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
a877fd6a69294996adfb68d12e09588f

SHA1
9041fb09f3779f24db268686e6b746629badefd3

SHA256
cae02bc1df29de1339a63d78d00c69525808e03f13bc5dfe3350de50a5e8fd6e

SHA512
7e2b7e5687651e12aa8b5b04bfcb51c006c6850da59a6d22d271d04c2ca255d383089f2f2fcbf0d1289441c90138e95d950150765e7c512f8c1c0c15960fb0e6

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
808KB

MD5
66b9152fb52c9d6c2336a43355d9b7de

SHA1
1de04a44ed960d97bd2a4be06de03f0b81d039a2

SHA256
7636c8487a1e3a4fe401832448a703c300cc1a4f33c6e18369be2d8af42cf3a9

SHA512
ef64fff4a299800d24ea88299c591eaed1072ca8d5fb6015d5d81e2b8f74fa7f0467e18c6229bc42475195f20082ff4ef02968b670909e608259e9549ea089c9

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
97ce1322540708eb27008f93975bb473

SHA1
f460a9ddfed0e3bcbd4d0cd888f1e36f9e61dc9b

SHA256
008246d0bf4ace9e696d41a1ccd2d10e23e2b5b3198340e03700ee3db3fe7e15

SHA512
02fe09135f741ac7dd94a24a839dde5d02cf4e19e3fffa192720ea81ae7aac0dbfd5e117dba4c199c3976f25a81b7f5767de5de0c2ff3284dc13126dcbf27950

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp
Filesize
20KB

MD5
02cd53acc50ffd9162ce0193ca8a9abf

SHA1
da5153b61ccc51697009954ad17552d7667c7d29

SHA256
c98135b9325fd1b57b51ebea6e9dffd7ee0d9af6f1d49c3463356c09ba6b937e

SHA512
611161feee99e5e8cf6594c5f82e925ba74844bd9d2176a5f58dadb1f9538d688e719eefe23b95549964878cd88901837c8366e71b2f23b86009177290969bdc

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
91KB

MD5
3c9a36eb20d42134f93fcf2197d66dbe

SHA1
2d197bcaab31b4f9b631c746d4ecb85269dddab4

SHA256
0b5b8a389d4ce1ac52ce2db3c6e906484c9aeda21b9119dad01a5664a04bf36d

SHA512
e2303f2930626e6d9df332bd5355d08ebcfcd274971fa9a3cfeb3b3c92d0bfd9260f809c5f284cafb4955c3fe4d67208562f0516d84699250a5b57085ddc1f27

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
96KB

MD5
758b71b0ed0afdf4dfbfa87cc26efb77

SHA1
fcc17289b90fb3de1ab795884cdb24ce3c41eda9

SHA256
5f906535a4fb321650437427abf621183037ca8c5dca1e8fbc792b5581b890d9

SHA512
4997f8d438342ca06aff9086f716fb5e93c89afa664f630149c94e2c9919d66d7addaad6752860c8a2a10d31d021707054493256881e4b475cf2a354a2ad4970

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
907KB

MD5
9ba748ef9c799ba13275fd8b6dca813d

SHA1
bbaaf5f7d6a6bb3601f7a04fd0b92509a22ebdb7

SHA256
bb76acbdc5d743ea430a9db9c132664f1283ab2e9ad1c5872f4bf23340c7b39e

SHA512
d1bdb4e2942e8fde06f8cf6a7e582056c353f11cc29f8d693a949ce7012c0bb2ce95ffee2b2f167477d1bd4578fa2d003b02aedfdac483c35fc1ccd5e8bb9b5d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.7MB

MD5
cf1a2e17577f166758b77b49ab90fdfe

SHA1
6f6383ccc64fe270b18a8d45fe1398737707acf3

SHA256
b543d1e402bb40d680833455168f8c929ab65c56b8274ff153e6a55e1595a533

SHA512
23d177cd008ead945bc36b63386287cb58d16b60f542d46117e27dbe6c86fa38eff8ffe0307fda05475ea8221dd1e36ce3c827134f7afbca90826d92625b5db3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
efc8034e873968c7d48138e4331a33b0

SHA1
969207fa4f7a3b6f36a38cabf2da4abdeaa7aad6

SHA256
303764217b87534457ae50eb05e978542fe288b767c04e7408827496fbbaaf7a

SHA512
915ae57ecb200174f117f9e568e928fa65206e6b18c456156469eaf1ea9160882e7b5fea89916394b8324f0d40242fdd0f637d14f533ff2eecc6506396bd3852

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
723KB

MD5
d872861714cb2bc09052d833fab20fc1

SHA1
edd0ce56fbc7c9436838825a4c768f61aa89c62f

SHA256
b36bf4eb36ab670f9776a06076c7f51ae7d511606880933c5ef76c92d1f7de7e

SHA512
b5ada564b189d4c4596655c72a81ffb4d0ad5759aaeed85faa0a45690ee97e66dee1190525945f087a30fd353b44d7bfefe0e4eb1afd8fa926a3b21d195d073a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
97KB

MD5
430cc42085fb1086bccbec0f976d42dd

SHA1
ab8468f9e1050f72b5de759de0155d810568a9bc

SHA256
60f2c5944b0d2bdb66a1c1427954808dad946db7d36a16884b71d94e49161b31

SHA512
3ba7318eb44b6485a4159a25aa723123b1d2c6d460a0bee9a939d5bff1ddd62404f2ba9f10d73d07c96bc4075cf4ef45c6586ea41a47e4c3d7aac34a2979ffaa

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
95KB

MD5
48ceb86d5f984fc312c5cd7671ec2dd1

SHA1
deef3945701d95409ecdb687b07d9306e34929f2

SHA256
2978d8c8a52a829de803c268bd810c9d9662fe7e57de21e0009f13a931692263

SHA512
52b38696ddd2333703ed61ff36da8214d49d396859a589111ccc53df1a46330717bd72c29c781395948f45a7f6087b0d105c9fa3abd65d65b167ab71d2112c61

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
92KB

MD5
89773f4fb615fb62587f79827f1edff3

SHA1
831dceebc65edb72a1f97ed8d14997445e87f8a9

SHA256
08dc0e491144afecabb0bef86ff466d2e52168fe191caef8b090fa8ec4b7e2cc

SHA512
3c095fde14b981b4f2629dada0a8a11fdff300fffadfa09518ee0a3af2418004ba1d7987dee1ae763e249ac88592f29d7a5dcf9dae2a255ceb108cf01f17b7fc

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
602KB

MD5
e6b4adbc040b84029cae22c68b1aca12

SHA1
31a6bffc4020a28b680ad67d5c6cde7d6b8f3c41

SHA256
2742bd1304fd0625ed405ae804dc1dd5bb17d1e2aedf3978e7682e0de0bfcfdd

SHA512
b5f9260e3b44f0bc64cbcb2890e4badb243b2ef64a9db5aa07d536c1608891c11a6ea4c1fb2da8aad4ea6ea0ebabba658f239d107bb98a965efd21bf227e3e91

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
595KB

MD5
fdfb57563717ec1623b76ca9ce8790a3

SHA1
23396f38a0776090bda2b42a770eec34a81cb51b

SHA256
5e5470b5dc6e18faaffd4fa0f4d4d17d2ff2298dba474ba8bfd2dd9d6bd69823

SHA512
3d448034b1325cebd1f745828a8864c2136ad83f8ee991a378db64758521f588b5424e266e9ab7281d366dd3cc5cca7fcd7bf6e99e82e6d41cfb4a9867f204df

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
100KB

MD5
0bbbaa7d8e457c04950e79a14c557278

SHA1
db7a8869aebf5e2d4095a6e182af8ad5550eae3c

SHA256
2c9626da4a0bf29a9d283a7947c589a7667a3988cd774ccc19896607b3d52ae7

SHA512
3747da5ce2a530a4f809209e9a53e8501946abbdcb61eb0b5e3ff7a34ca9585607fd856b0a459bb19fa98a06ea7f43abe38f1bd934d24448abdb8d4ea5373aa7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
275KB

MD5
fe8d862101a848f7ab7939c8ee247434

SHA1
62900649c1101cbf8716b3cdf1f2b6f93630e781

SHA256
b79361f2c116ab15a493a2ba1609ef2f84d16ffd705ccc30ccf0ac83f34b714b

SHA512
a0068b255fbcbd1164c2cea3889bf486e5a07eaafe7c36dc4cee0220f01d97e77bdb1c7d974cbcaefe05dc6e34579c79df4ea414a16df1c910a90026e7bc1698

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp
Filesize
115KB

MD5
6d5f447a4f129730ad73a80b4cbec3eb

SHA1
5a6763ab13ccd51ce6a12602b965c02a443fb72b

SHA256
aca468e543d416d913a4480e777452309d8d6d8698e2600371777a44e7502bcb

SHA512
b3b9b0dd06a410238b9bf5fce55daba6528cffdcec3f2cae3a203a2b8d5ac522e2d5c1df1c897c480ca8a72cf9f7a755b6c17682ad3a136f7078c61ab459601d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
154KB

MD5
65fdd905d5f0243648624bd26cb464a2

SHA1
0313b84790ae0582e297be75983a835ecbeb7849

SHA256
07e5de9de369d9bba4c6ea27ed549649cafb9d5097f6bcbed4f6490db1391094

SHA512
be449c9ba3681013705fa59391ad9e340f9868e3bac411eaa9201a9c26b34f99550a54bec384509f804d78bd13a675b95e835a3a55d23cc94f4f2a5508bb9915

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
620KB

MD5
a5f14b1df97977af39054c40f13cc9c7

SHA1
46f3d3963cf2bcd436ee62e2dc782ff07e790d7f

SHA256
e10d97b1f85f44978a9c772d9aecef5ec2f3a6ef291db705d2e576eb6f0da9a2

SHA512
8dcf7b0232e60a0cc92bb36738ecd609fd908782e8eb9ccf16864f445784ca81bf2248337b2879b44bea628468f0ea4f47b40a7d0b7c649910569c7a24f7f13d

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
727KB

MD5
e23d45b5fedc682663024df93bdfb7b9

SHA1
32fd3983a299f2406da012d977d9e159b78fc335

SHA256
b2d2b80780121756ac8a39790b56548911d829bc95a6ca3eceffdfe478206470

SHA512
477dca2ffe6d66052bcb0c251f25b4393e7d48296b15ca75cf86fb265347f926a91b1c3999fe7ed95f679178b79808a715d063879f8f2771d2289d8883ceab1a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp
Filesize
80KB

MD5
43a85d1656402e6fab4601841816b457

SHA1
0186d05bc134597abb9816bab5beb64da4278998

SHA256
d7187fecaa8c916927d15a12e1a5e26c8e0f5286c29458e5756c8449da25c076

SHA512
3093f95ff3086bbb677c125c7b66de505c0a862be534bbe09d97e408479473f2caf7c78c7e46c61812a33cddf5e2a5bdc1f128a19e2d85e4d4139193cf7b2050

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
723KB

MD5
1dbc9681f51e524e8bbd55954e318e53

SHA1
71be80d8b65ea859bffd28587b4c3ccbcf42bcbc

SHA256
b28737ccddc99e6b0723d465fb98cdd50872271e34b52615978bb3fefd500347

SHA512
926d4954f3158497230486207428ab72c7acb4dc1a5abc9dfee82e792e6b7d912d3cd857bee6c4806f2498ef7bc685e5bb92a978e9eff973d94ec1eab9a675a5

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
Filesize
6.5MB

MD5
c1611c89ab58e5fd2d29060c2a4c042e

SHA1
4fe7bb979042d61eb4cfea325bbfe8aa1d583e22

SHA256
0e03a76eed02cb39a0bbe5091b9f59ff6c69989f24a14be8cc3b2d019798ab85

SHA512
a0a2d16995df7bced8d173797ed486604c5c63efa5152ccd862f9a5f1aaf7caf0de556ebf1f82e7afe65107364c66527c347f0414fab89951e55d6d5769dcf8a

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
Filesize
1.7MB

MD5
635da3b7afe4b44e7be54ce602ad80be

SHA1
ae1e1c1d112ea2d7d35d1572249094da9d32896a

SHA256
92deb1f757360e2371955ce9a663b729b3f765d3a368e87d8c489e55bc2e3295

SHA512
b780bc8ce797fd87111b61800b165befb0c622b71a605df8bcc4810625a8a90c036e2199bd7702a4cb07384296077c03c94d98518e84417b0af8ce06ceef919e

Download Submit
C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll.tmp
Filesize
107KB

MD5
f72e691185bc12e7f696b8209b916478

SHA1
8f2313f6e033019348899f191b5ed5760ab6c605

SHA256
e82adf5e974a87d14bd1778192314a4bcef2e144e6b979332c565d03a37265be

SHA512
2a778c57da0c19b1787cd11e4c6657db27862769344e1335d7a20c4d3ae097b143590b1973cf2a205530e6fcc8c15165971f0597a5da8bebc224244ab828d25a

Download Submit
C:\Windows\SysWOW64\Zombie.exe
Filesize
88KB

MD5
a3fed657c3aac9a3ab72965584ebc44e

SHA1
0dfb7754e3c55f3846dabaaa1ec36131f672ca80

SHA256
51b76e3d4adcbafc48f91fa71d29f8d2c76d517be06abc4d348ceba3530092e0

SHA512
e779d6baca4bef587d3cbbe9333a9d6fee2710bdd9610ff234f86b00834f556e9ff3c57aefb652b023ba2e3f7cbb12bc753253cbde0a2ae7ac492408b5e80afb

Download Submit
\Users\Admin\AppData\Local\Temp\_cup.exe.ignore.exe
Filesize
88KB

MD5
e726321e38c99458d05d72f8175653af

SHA1
3a2bf3a41c838efd5b350e569913a6958904c278

SHA256
461cf10d797a9b878c1146f7d2d4af09ac5218d8d1e8568edf0d1fd63e657201

SHA512
2cca3fbe9284fbd52dfc20357548fd4810994ca6ac07ec1bbd76b006c55e652ef48bfbee5b08e70e784c5be032b7a9378d72771954d536614d42973a2552a63a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads