2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
Size

80KB
MD5

7f296cd92c4545d6371393c255903e01
SHA1

89dc29340f95f02f613d7176afab610c53bcd154
SHA256

2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c
SHA512

85600850ad66913035d296078d2265fbb799eb4120ba8a8ab7859bec18ba21c351fefaafba4df95d292d9f7a1289cec7e70303917f75afc03ff40cc6ac9c4ae9
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8bTWn1++PJHJXA/OsIZfzc3/Q8l:KQSogQSoK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4398) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 48 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1268-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\_chocolatey-dotnetfx.psm1.exe	UPX
behavioral1/memory/1268-7-0x0000000000320000-0x000000000032A000-memory.dmp	UPX
\Windows\SysWOW64\Zombie.exe	UPX
behavioral1/memory/1884-24-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	UPX
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_chocolatey-dotnetfx.psm1.exeZombie.exe

pid process

1884 _chocolatey-dotnetfx.psm1.exe
2728 Zombie.exe

pid	process
1884	_chocolatey-dotnetfx.psm1.exe
2728	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe

pid	process
1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1268-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_chocolatey-dotnetfx.psm1.exe	upx
behavioral1/memory/1268-7-0x0000000000320000-0x000000000032A000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/1884-24-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	upx
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe

Drops file in Program Files directory 64 IoCs

Processes:

_chocolatey-dotnetfx.psm1.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt.tmp	Zombie.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.tmp	Zombie.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL.tmp	Zombie.exe
File created	C:\Program Files\DismountConfirm.vdw.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.tmp	Zombie.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Curacao.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	_chocolatey-dotnetfx.psm1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	_chocolatey-dotnetfx.psm1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tmp	_chocolatey-dotnetfx.psm1.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe

description	pid	process	target process
PID 1268 wrote to memory of 1884	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	_chocolatey-dotnetfx.psm1.exe
PID 1268 wrote to memory of 1884	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	_chocolatey-dotnetfx.psm1.exe
PID 1268 wrote to memory of 1884	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	_chocolatey-dotnetfx.psm1.exe
PID 1268 wrote to memory of 1884	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	_chocolatey-dotnetfx.psm1.exe
PID 1268 wrote to memory of 2728	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	Zombie.exe
PID 1268 wrote to memory of 2728	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	Zombie.exe
PID 1268 wrote to memory of 2728	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	Zombie.exe
PID 1268 wrote to memory of 2728	1268	2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe
"C:\Users\Admin\AppData\Local\Temp\2665f35e6559e91fd4f65c23dc8510483dd6a3f7e741fcbf3c9e8fd856fb4a0c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\_chocolatey-dotnetfx.psm1.exe
"_chocolatey-dotnetfx.psm1.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1884

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2728

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp
Filesize
80KB

MD5
d0ada94ad4dff4a62ac7763be3b8972d

SHA1
0c88b6a25d6920afe949fdd73559078093cdb081

SHA256
ce312152af7008b1980120d814af841a543bd8f8425e9e9413078994f6d947fd

SHA512
a19df634359aca6e5768192130ea65f6b4c0d7071420609df1efa74d8eef704210e5596e0aeb581ab64c5eb2cbb4cce70156c8e14d1d307835551a77bd8dc793

Download Submit
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp
Filesize
40KB

MD5
64372c94f0a58585877dde6ce68c49a0

SHA1
ef594bb9e93381fb07ecc3e96ebfab8cb732201b

SHA256
39cf35950b547491064175aa345bccf3f998bd4fc836f4c647765f2e2cdfc5cb

SHA512
fbe054283dc41667b4e9a55ccb147044c79c8ec287c7590f7f456c7d664fbdeaec7422b41ccbd878411215c746fd39aeb3c45b17b17e841b10873f148450ff3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
848KB

MD5
b0cf2e9158942246e3fa1ce1271188d3

SHA1
1dab9de38129b7958a20c812e9434b7664a07d74

SHA256
950c02a8e298c2811057ecc85abf9cc768d72f320aa90179bf383b419854c354

SHA512
adc33451814cd8908f41b42a81ff443818af6a7b178d7470cad75355ff950cecc76be287eff4c324e8ef164b2614d74318a415e43cdd17596364b6be02c12eca

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
a6df1d688df8a0c3fe6b12db5ed50a38

SHA1
1129ae285edf771de8e998648677a82744a17f6e

SHA256
5b80aa78df8897344954c07c4d2cbdfcad436eac585d492086dd311148b10c48

SHA512
63c04ce6663a4470e56be3007172789560293fecbcb899cebbab459ab5a3298675166b12c64ffc1990993b1e6742dc2cb0c65b39532eb8327a112254e616f21c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.9MB

MD5
bcaf1b3243ed2f93002d91b8fcc4b475

SHA1
dc659c7127848299daf3d4887baaab1ac4af5a3b

SHA256
719594f6997c1ec8d24d69cc353205109b22929c984db3c03f4c62928f67c6a6

SHA512
070bf565c31dce6e451d34349bafcce5bd035f9e3bf9663f1d1e758638308a9f54f0e0c9f38fb8b506bb441d93159c557f2ad9e99c6ec7c9c479ed228c6bd1be

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.2MB

MD5
3912326f21a22be05870cd639143f633

SHA1
c4dc98ff1849481cdd782c0840a7485f642b1aa7

SHA256
6d5f19c9d3a9f746e126c865ff539c585469133e744563581d6c6ccd1f808ad7

SHA512
bdc3313896bcac375aec61c28ab982f314103d22fdabe0bddac4db2a99beb27fb66ecd7ae790cdcd6df516099d117beb699de616b3cce0cc1f518e624778e15e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.2MB

MD5
bc2f42f8ce3deb399be435dbdb73c470

SHA1
2b187f3a0c50d6e61afbf7331adc3989de621e23

SHA256
368603a05e6ac181e0a466abee8a90c0d961e5c4b98fdf664debcc427e939f30

SHA512
d619dd15e035a7a960c023581a25e66740eae2ac75b05d213c6b5113e5b87de5d0c372286499b20fb4235c9a41253c740915adc33f3b5086c973c7c6f191eaf2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
1.7MB

MD5
13a310463ca6c1b542b4c4daff3f392f

SHA1
0ea7d43386e8d66bdee1a8f432809c2655d11914

SHA256
b75ba25750747bf158fa9310bedd4ff401ab090b576e4ea43d5a59573627aefd

SHA512
4d4e3f1f196a9fe3704e5482a0772b090a29393e1af1c9c3309b4c2f27cea8fc06b1bf4cfb5b2ba72e7f4c99ebf81dfb2270dd82366c1a286dc33adccecf98da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
186KB

MD5
14251a16a86de0eccebf9fa1160ecaf8

SHA1
9b519682341d1599b88a082e829d78431a7e12fa

SHA256
bc0a84f2468124510dd43047753a43237a9c9bc4156ad0e72b4fa30677bc0320

SHA512
bdaff21ed5e9f8b17c0016522a3d9e89e120370c064324f7c11ea84a6f33c43456c0750ee547018e94cea0c092f30c5bd508b1e377a94f8a4d32614dc9259163

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
560KB

MD5
4d5602b82379aab3077a374039fbff7c

SHA1
82a66b9e564f8f3c6a8128ce74663b95584446e3

SHA256
476540fe088b0293b09ddff5f9a2b724b66e680034400c1187fece4ea999e722

SHA512
da8050669324ee5cc1d3fa0f3dcb8d47ee2005d3a6ba25dd6e045816306317333e005289e47fd1dd3a14b89fece7332769ad355f4fe29156b6fe6b9e31806362

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
739KB

MD5
ae4aff40262a3a1cbe7876a307d0b472

SHA1
28c35194b6053a080e13552a9d02e3c8ac3a193f

SHA256
2da503f5723ed33d5c576e75c06c326f2b3ddb88c67445fa815cecb31ee3164a

SHA512
473ca3e7ff60aa10fbc6f1d5b2feed6fc40d3199965b365851aa18f4fa1ce295a6e095d9bee5425445943351c189efd2b6c534f7b2f3de10101d2f1db62c0a2a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
800KB

MD5
8d4668fdd7be1763f131c60ce4caa5ac

SHA1
b93f54baf569c02981b1fa4ffffce20c488c2f73

SHA256
04cea99275456b686718211733efc223f0262b0f8caf8bf85b1f133e479e423a

SHA512
64faafe6feddcba7018f30b1c29d41da479e38467b1f9bbb2e69ceae1a931ab80eb6168e6309c86de2c129a9bb4d65abc4062c586d5cb28d626dc934ecbd7059

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
864KB

MD5
7487f6a76fa051dfa9264876e5507bf0

SHA1
d34eb99cc7c02d48faaedb80fb2b109cea22fc10

SHA256
d99c11da1b80ee4c14dabdcc8473b6a06af9e8ab5c9d894bb86c244a94af7a1d

SHA512
5a23bf8d21918de22cacd6630a9fe754885d049b4d12a34ba992e2aa24b280f8876d8670a6477bc19f8615d142422c5598bb277930f74a027b1d65a2f586a9cb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.1MB

MD5
8924c664eb14590f5506607e91ac369d

SHA1
fe835d4d5cfb8ed18723e24e8047e6bf87aac083

SHA256
fd1c6ba5b3dd4cd88c903213d673ff5f9eb8f2610d077d539f80d2c9bd26b47c

SHA512
d4b4e9bf11b2493c767351288619a6f9365a58a5f01570e86aacb6e19b830c01657126a468e007841a4ec3e187381a0956d70340d3846ba85b2010228c2f5c43

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
d16f09aa00c21ae95fe3c1a181b432a1

SHA1
13540f9b32cd2a9868bcfd2e53baab68723712b8

SHA256
2210472c26a15215e272ca46bb3c4a99e65d14334bcefc95aab219a0049c32b8

SHA512
cb8971fb4ffdf46f44e94ac257f4e774acefeec4dec827c594ed0507d6712c6acd03bd8e2d1bdc0efb0cc58fd9d77419150ab06390d78b5bf7c1168361c79810

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
44KB

MD5
168a85184d9e9ed57960ea45dc070756

SHA1
ef79c64c4b7acf872e703a2b312a13283192d895

SHA256
7fad011866963c587b17d6db36dc839376091d6ebc04d53ef44a18ad668bee18

SHA512
996af0e93c3bd4d7e64ed29bf7ec5d62111e619587e0c1615184b3d14df00c6c750e7d3d194224284e866346af02b2f980480a59705a816ffcc98fa61242a2de

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
48KB

MD5
48ed446aff4d4eb691533670ea6e1075

SHA1
678284f70d36fc6412d9e40db20630f680bca1a8

SHA256
906540907a725f95443d76a1d1110435a156d897aac09d79921c57bf30cf252e

SHA512
cffd06e9ff8b8d54d81bd83af48869fd7187ebee17839de6120caa6abc409875d9f97a5f6c8e761f8a0114fd90cdfb18d1d9fa466d58610ae743547ef9dd84a7

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp
Filesize
43KB

MD5
40c97b7f240206a622813b106a31f2aa

SHA1
0b7cbbc94350c4935b0c0e253a82804b0c2731c9

SHA256
5562fceeb2a9d9c78de21f4be84f4216f1433dad081e342fcbcde12cf0e54262

SHA512
a30ac8b327fb43dc9de50bdeb17212e544d47ab26d0308bbc610cbee76d474f79054474c4b400fc50bf2131ab4a6223171ff95a3c339c651155f2983475e8e80

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
44KB

MD5
287c7fcfce22651598add5eb1268eb98

SHA1
d84d5c6ab18eef176229b475a261b89b2ae9c60c

SHA256
70e8bbd8f94e78dd35de1f8def320e00d8cca472b36b0a300731fd435d8a6fef

SHA512
792ba018776750b20231b4466b447c6952696e561f41259103f9b5e18ac6d4932e9e0b39f0b3c2870ae1aead8f66605510e4605736835d7d49edaf2806499e4d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
40KB

MD5
74f4ee2ce7da825fae92410c525fd800

SHA1
50c7043a47de58d65ee146acc2a5efc70db9077c

SHA256
7ab48c4213d1e99466d30ab58b0f01cfa659210d044b4c14d9d378b38fb5c8fc

SHA512
fa340d58932fea019845d29af23b01edd23123bcbcdf1219fdfed38a092879129f9a0ea04581685c821c8e864c39a2f61652f5cdf9cac98bf1842a6c0f333ce2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
44KB

MD5
1ff768d32582e31437789c8f8c2969fd

SHA1
0a4d7fee833707b99bc7cc66a6edf3f1e969aa23

SHA256
624661cd39ffd2770c576c6b793c0ce038164dfe7e8d3115c2a01aab8855ccb7

SHA512
6418c3c3bc1ec6382aaa9ca90bbd9c32ad7c0150504f934ad3eba108544c551760a308d997ac38627e0afbac69b16b3aee9676732deb976c0e27450353f7e278

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
1.6MB

MD5
be0bbc597d112e1ec4c5cf7f66489d0a

SHA1
f984c537d5e9e6d9b44309e36c7ad724e930b686

SHA256
46057352e1020ab62e199881ec05adbd6adf79ddfead2d683a86ba6408387a1b

SHA512
aab8174451f1cbe66aac73ea42707057947841fec5e1f244dabb5ce6750b7fd539e1194ffd7b755a325c9951c078a2741aa12e16023d977e70de257f78b273f1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
2c2dddc181ce84e0a94a7b141635e5c0

SHA1
12046897dfa8ac2bc2f1ec4393cba12f24040ebd

SHA256
e803ec204d2655220aab7575730936d28b67fee5a639ba98f4a9ffbe51a21855

SHA512
a93f2705da3dd8e8c11f536f66885a5a95f22e170e84616ea4ff89f2283d1a9d3e16cb1f9704f139b1ce0fb3aa012b4af0698376e4ac1c1b0215ddda684efd2d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
e29b21c4342cd0b9f363d439e531f0a7

SHA1
86f284b69b323970c3a2113a809b8875d9b950c7

SHA256
193932badab03fbd80fb4eec05782e217ffeecaae63ce2ca46b1b9e1ff3d3258

SHA512
bfff4578302e317607fe3efcc948ff53fdbdf40e5e5a1466e65be92c8ddcc2345e110902720ccfb48b786c2e6e888cc2dbe0cd004c9e6b3162ba6d3443f866f6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
45KB

MD5
377b54d288911bf6c822602031c1c186

SHA1
37e2cb072069542c4853bcc1a08205cdd70f8623

SHA256
df17f0ea377c2b1184554fee0f3dabf556553cbe84b313e80376714a445a80e3

SHA512
e75fc41a283f7969c82e8611e4d744f8b4fea5d6d9e82e4ca02303b39e6e5da8bc769555af2a0742c830cf2d1a6f8f461f01aea6600d2254366a8731b8168fec

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
48KB

MD5
03f61f40bf773e6f458ae783622fbc43

SHA1
f82a9b38f160927a6f39000f23ccd67d8377f8fc

SHA256
feaca0de9e23eab43cc0fe601b21722d1fd22ccb064a3642555bf859b7e1b6ba

SHA512
1c07a2a17ae1fd6cf9c195709c2b988ccd8f7e4ede9de49754e45c327eea7aaccd88c8d0898a15ccd0955c583b62534c9d8c022984eaf68e163de89e55912b10

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
1000KB

MD5
29318955af6114fcd50e91795a5a38f1

SHA1
458393647c3ee1fbd3e0637a36fa5363295876a7

SHA256
0265e40b30da9e518747dd559de5ca374069c9efebf584d4e7177cd83fc965eb

SHA512
d87f0664c5f84ad8c203b89fc0debcd39fd09576899f74fc69bef293371a7bc813949321a2efad414d927d97abf31058e0ca3e07454bbf28cde0a4f6787f409d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
f270619aafec1e648f1706f408dfc806

SHA1
141dc75a05ad13c00704c17a1193dd21025ba1c8

SHA256
cda1886734b15add1e6c01f7823775055464377ef178a8f6a45e70aa9e3bd39d

SHA512
e4ee2e8c9a867563f76ff631eeb2972eea168b6483351695cf6f75d49f3bcd13c90f6e1d724d18df89747052c6e9abe5f2d335ba716f495b4b78900a0d0d720c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
681KB

MD5
672a80aa755f3a4765af2f9163b00636

SHA1
3f052f5d5b8a19f9eebba82c73971fdee102f888

SHA256
fd67ba880a539757822584261fd2d12b89c72d1cfd37f5d3166c06e185a74ae3

SHA512
621444fea3dba6e416b2cdf003185b168fa8896fd54eeff157c1a6456f09d682a670327ed30e5c9a61babfec35809c2e706cd5c3cedeef87542f10e9a1a6cd76

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
96KB

MD5
fb0ad0495fb52dcf3a2a0a8a28e991c5

SHA1
997ff3443945e1cbee1f2c62680d708b27b4de0d

SHA256
41e0e638a8862749b80f970cf8be73f7e23d8122725f61cd295066dba12474f7

SHA512
0cbe64c260bf3b6a7b20eec71b6922e73a2d8c8080607b8d485c788e2b3d707e17c3d5ebbf7c8b014c2010c72e443eb69df5d145e4b871fa35009323a860d3dc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
12.6MB

MD5
991a7b496c8817a7013c32ce20e584a9

SHA1
fa3e3cdcc03ccccd555737d61335d64af63bf609

SHA256
b8651d3495723003577ccb8c442e9524a3e9c45034306fe4562a71f89826bf01

SHA512
0e7e8b4c7db35398fd09e7da49d862f9c3065d412c37e828e0b8cb831e3020a9593678c4a178753ba0eff333f73de7424055de77ff8c4d7a2e6e7fe6b38e656d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
687KB

MD5
a447dcb207a2e3065c7b68aac8746e43

SHA1
abe31052073a208ce267ad091f0bfcc1cc964a8f

SHA256
b8841da8685c1988caaa9ce9912e95a4d2de07f73870aef1e6b3587a99f8febf

SHA512
e736b8bc6a2c1c5c65dda47d67e1041ca8f69fd17b160e2d9cf7b9ae82b7800ebe2dddee34bc26912ecc031c245e1e5725ebf25b3a8c31a8e58cf2dadf6dba79

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
2.1MB

MD5
b69d8abb98a1ae962f91c18fe09e2224

SHA1
76ff73cedc4fbd482ca9fcedcc1d16078eb948cb

SHA256
2f53bdad736421e436f98cd53c88572009baba81e469722423c0314d6d3dba72

SHA512
54b5402b8675c0302ac8e37e3437c5b6f4395773fe1eadb8085f6b7b4ab0bf821d045ecfbdbdbfd6d78a856bead884a79b9357ab0b643922623822bc50cdfe09

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
675KB

MD5
1bda7bce38fc3a74249e814138cb1a6c

SHA1
6eaeddfd645cdf5b5b91a06cb78d4566cb53219e

SHA256
832b4de7291969046386cf22c5cf3026c3cebc1a6a4e73df5ce8f25e1733646a

SHA512
9df2e891965f1527a4c39f4f50fea1de14d20a0f03d52c2acb25c19d4de4b95ce678e7eb49a7929117165382b4ab2163075eca605a6f4bc7c481fbf403b168b7

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
4.1MB

MD5
5d1ef506254a516a185d5767a1d32a4a

SHA1
14ce7d096f992e8bb5b758b3fb93ed8f52286510

SHA256
289a3aaf6274391494ef94fefa26679484d2e36a331e838377fa7547a40107f9

SHA512
5aaa598179791aff9670616d8299916b88f553b610fee5b3fb740adf67233c2fef63c93c3c27e3a54a36184671fd7e9e1ac5446bd87c7f4195c683124559910c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
48KB

MD5
60ec2ffffbdfd423def7c694c4625af3

SHA1
dbdbf1d9995c3e07b1efe810c35238fa26079028

SHA256
c3c78793c5f0da47f00438ec3ef88cffad251bd012477482a11a4b988a0bdd7e

SHA512
513cb00485255d9dbda4208dae63752b56985040f365b70aaf96b9cd56873c7412bda312beb1c83209a6c3e81b2291d1d41babf5b9561676b64bc4808eef5ff8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.3MB

MD5
4d50a13cfd33d0afe245fa421fe0914e

SHA1
b7ccc0b64caa4e74da04fc0bfe956603e74da2cb

SHA256
2b18abc76541afe37dbba22351e0e07f2e417d0378150bf769a45c6e37b37195

SHA512
df08f26cec3977fd4b5f74478d088c1fa119d8bdec0f5e3f92bfc8e34a9fb6e1fe31fbac3cf41d822a0604e866cf111af50fe5ef5badce1d7c5d345423bb404b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp
Filesize
42KB

MD5
c8a631c8c5d8555b8a5af216811f382c

SHA1
86fbc9e752fbb08f5d0a0e735fdaaee2d3a1739b

SHA256
4e42f19528543970a447cab5e0954c8fe69e5da4e354dee89912758da932837d

SHA512
ca03e60bfe3022be125df5429736d0c44995c76c4bf0bc125aa4cdb21e4f8e5491b0e2c6950ad6f59e4e947416292caf6f7dc180f7d27074bd8a82a27a3fbf2f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
2.9MB

MD5
d7fd73c5cf42a3d44a7ed71fbd7e304e

SHA1
e609ed79b043b815ed61a9132e52baee09fda809

SHA256
2961a9d54b04abcfafe784ccebb1fd20169b54d3a9a12f3640bd7e294962d101

SHA512
d8c336ae840dad3cbb8c9a4898e5f01b36a20e5305e383397cdf86f7ef834dd686b247ac4d6c54b09b91015f7fe02fa2cb3a366e63177b3bb8dc48cfe9b0e99d

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
77ac10213d57c40e1660e80a8630eae6

SHA1
89debace659efcb6670add3f2349dd9b7843d771

SHA256
895dd76eff206964523ef2609efd3aa2aa99c50809db40d202ced0c96f18605f

SHA512
a9c5949d5bfecbd9bfc0afcaf2779afd2ab6d52f5416e17ea651004a863fb32ed295b11745d147bed4583136dd14a25145c608de7d223c7db1456cdf40abfd03

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
43KB

MD5
fb5e823bdd0cc45374651c485cc521a7

SHA1
51ea573a54e54b9ed7f9084c2d7ead03f3da0cd2

SHA256
b02a1f6d3f54ccc2fddaeec4c771765946c19cf38baaf2b20f7c8b8d51eb389b

SHA512
f59a74b381a8ee36f9173f1131b990c3d171904135dfc9e80a60cd5ad974ab6a66d7cd8b9d4a5d1bfe712a9a392dcaca341b84275cec8fea8b1deb4519ef4662

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
3.9MB

MD5
00fc86a3ca1c46a4497a26b52a57d431

SHA1
1593d80ab76be9f48b9c4950fe4a5ca5ca20fb6b

SHA256
b5c2fe3784d400298367ad5daed0123402651b91f04503404d00c8deab2e4688

SHA512
63c5aec82930241895ca83e9bc9c78727a871c6d75ead4e74f0cf1f1ba521ba1b95ae206b8dc542853cac9debe0888874e7dff909433173e17c05a72b92470d8

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
4043bf2c0e5f8a9ab3fab8b0df4f64be

SHA1
82e3f27715b03c8c27a6b4a4c7a9519b37ef35b5

SHA256
0e7c288e8a77004ef4643aede08f289794cb64f90f1de6e380935cccb9a4abd5

SHA512
22275203c24a9aab78654ce927be2300624f9c50096bd521cd005790f4bc28fd9c93bc2ebed708eb9d927ce598e3025b0cafc56d9c365ad9282145bf91611058

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp
Filesize
41KB

MD5
b747f6b67a237ddd73a4987bb9db80fc

SHA1
4a2342701d6b74b95e5f90bc147375bd5acf5221

SHA256
277fe13455a2eab6ff7f547fece0a71b0db4f3113e6c97b9a2e083bc2f33c4e2

SHA512
4c5a7ff06270206d4ebea809fcd41aedb5ca744e8ba14ca13ad7465d755dc91aa3459d9c398cd926b739e7ef8f313dd20c1328c2992f21bd3b3f33e454b04162

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp
Filesize
41KB

MD5
fbdc7df7925277f6c7b9ef6430a6c245

SHA1
82837576b81125a9521d31ea9bd1f544eaf60142

SHA256
451ed852a435f23e4336da99c5959d870f9a4f1618f058598e62366ca7c0f65f

SHA512
7ab34777830999b33be24623c9a1e67319b6b0e223d02250569cc86dc47901cc2d6788a99143b7912e84ae6311354fb194fb312818ca82781b391e97b4c9376f

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
43KB

MD5
84f69aee310a710deb6985350b71e383

SHA1
b9a0487f14ff0bfa390e67ba4345f2e351031b2e

SHA256
ebd435b532385c65e0ce9cc6aa92691658c3d3f3cd498901801a71e5706fb8da

SHA512
185a43b2613ec3dff9794de54fc9f0aba79747f94d6a5a077a447da96bd5109cebfe0ac01ef59565e500faab0bfba4f19eb6b7d514aa98c21dba6e46119a223c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
44KB

MD5
99789798a4932d920cb8e6cfbda91b28

SHA1
5049e40444832000c60e0cc5aa249d69510f5301

SHA256
ba37a37bafc34d19504d33f960b21b1622fff84cfae94cd8641fa7f3db720cbb

SHA512
7ebcb03ad188a4fcafcb7eff36722189a63061c4063489c3834e2a3090653fda244401ebd03493cc467bc16ed03cbd8dd31300938ea559c5477066e0244a227e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
859KB

MD5
f2d185fa95a56b7846996d1c280fe545

SHA1
829dab29e2ce89bbd31474ab4231d9d49fe519c9

SHA256
391d77b6b1f36f5fde62a745edd4a828b7b23843be62349209f387c899245263

SHA512
448ccfa1d02785831cd69d2a79f4eaaa313e7701b030f19e15797aea59c7d227463c506e250be0709ef2b4b5efe5e265fddf42bb1937c421560c722fed801373

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
622KB

MD5
b954a878eca5b246ed7496d3b1b2d2fb

SHA1
e88b8aa995d1fcc90d144d6c402f5cb8fa82cf80

SHA256
86ae1af32154e97b1554f09a9f5efc13cec8558b519bbe4564d3d6dbad2db9b9

SHA512
5041bbe50443a36106ca54372a1ec116c4498b7ae10fa613f09fbbce55e99352834bd908cb1642b9bfd7424eae623b0a1254662759b6c6fa9e43eee86c118105

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp
Filesize
40KB

MD5
4b3dc2453ee14a5c5284e63ec719da28

SHA1
c33a793ad6e0e7bfc850a179c34bbee8d465765d

SHA256
a3dc96ccffad20b99e1637ca602b6f45e622764d96746804d6df36ecf6bc84b0

SHA512
a9120ddeb6aadb5fea8336eb47eb2117d75bf7936ab5057cb70deb8f5b1b4093686909e27bfc633fe9b5703bec35a8d05402025ff603cdbfc1dcaeb72dd116c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_chocolatey-dotnetfx.psm1.exe
Filesize
40KB

MD5
222b20ef8ca68c3927f5dc2caa81e765

SHA1
ed12a9465d6d4fdf1c47c1e52f54feb1f02ed6ac

SHA256
f619b4707e58f6606d1f758dbb76332ba18a5753e437ff6e1bc5bca91e99333d

SHA512
84bc0501708c498cc1f8c9c5e2ce565f54494b425a267b874213fe2a5b449f9fb92f41464a0a473ee950029e01e28f67c791da48419bd1c048d171869b29d93b

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
39KB

MD5
fc3364d8dde8bbf8cc64c9dccf258eb2

SHA1
e78d5cb5d9acea48f39ae7523a63ee3002eabba4

SHA256
a0fcd4b6a4a28f567a29ac398bfd3cd535d7022bb1d5f4d1a90de1fec0c948c8

SHA512
4c4d48e49a08d233d28869e9b5d1cbc4572da19e5980f69f5186cae6845c6a6080b3bbfbaef8e5a22ed547c90ce3e29d0532c36f0078ae4ad9819123418870e7

Download Submit
memory/1268-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1268-7-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1268-21-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1268-25-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1268-315-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1268-1155-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1884-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads