3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
Size

80KB
MD5

09370fdc36e441288cb22238c3659896
SHA1

6be8b277cf385ff320c34bcc196c22d20e086b8a
SHA256

3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3
SHA512

aab7b288159abbbfb63ba4cb71c8a09fa2f20ba057a1b245af5182f42a74f1ca772884e3fcb43d3e056b846eed35ea16146619cf54a1c38681cf07a9e6234cca
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q86TWn1++PJHJXA/OsIZfzc3/Q88:KQSoVQSof

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4999) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 49 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe	UPX
behavioral1/memory/1796-12-0x00000000003A0000-0x00000000003AA000-memory.dmp	UPX
\Windows\SysWOW64\Zombie.exe	UPX
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	UPX
behavioral1/memory/2396-18-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	UPX
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_desktop.ini.exeZombie.exe

pid process

2396 _desktop.ini.exe
1272 Zombie.exe

pid	process
2396	_desktop.ini.exe
1272	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe

pid	process
1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe	upx
behavioral1/memory/1796-12-0x00000000003A0000-0x00000000003AA000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp	upx
behavioral1/memory/2396-18-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	upx
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe

Drops file in Program Files directory 64 IoCs

Processes:

_desktop.ini.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Montreal.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp	_desktop.ini.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.exe.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.tmp	_desktop.ini.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.exe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll.tmp	_desktop.ini.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png.tmp	_desktop.ini.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe

description	pid	process	target process
PID 1796 wrote to memory of 2396	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	_desktop.ini.exe
PID 1796 wrote to memory of 2396	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	_desktop.ini.exe
PID 1796 wrote to memory of 2396	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	_desktop.ini.exe
PID 1796 wrote to memory of 2396	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	_desktop.ini.exe
PID 1796 wrote to memory of 1272	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	Zombie.exe
PID 1796 wrote to memory of 1272	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	Zombie.exe
PID 1796 wrote to memory of 1272	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	Zombie.exe
PID 1796 wrote to memory of 1272	1796	3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe
"C:\Users\Admin\AppData\Local\Temp\3b67a374b42a657bacd208447033debd8cf01b0d4e7a7fed6b3f7136d83068b3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
"_desktop.ini.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2396

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1272

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.exe.tmp
Filesize
80KB

MD5
3f3c1ac49420924dd71f6f7c0397a421

SHA1
fbb0911f4d99e8b10e548d733bd876b858f55e20

SHA256
60d73fa0280924963aade008a07fe242671ca347ff2d79d5183c61a0130f94ed

SHA512
04c168e36bea3b0f13b2c9796a0a26a7dc05c12f8f5bfadcd3a504f679edd452176bcf582eef03f0cb93df3db4f9091221cd370939f4a80e6cccf2eab105cebc

Download Submit
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp
Filesize
40KB

MD5
2b95f170e6b399fb2be22cc7f4b1553b

SHA1
8f335b13b11e8c3c50817786df8b7b0973fa33f9

SHA256
a54f0079a922b13b64892ae9d39122ad60c9646168f966b1b4e5ca15a1c4bfe5

SHA512
4bee5f01fb80c9a0ddbd17d73f0a3cc80900ac067249a8e6b3db443b8c62d0d92a2e2e137c74b59cf9f858dc9f684e6a47f0baa3e458e1d6ee4921192d1911cb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
6.5MB

MD5
125851d0d9d7970386530d98d6a51972

SHA1
6fce8e43184d56f739ceab29bd4427bb1aa50603

SHA256
9bd00cb50d289803891aa6543cf7c9237cffe3050ed7e1fb2942fc783505a45f

SHA512
47ab9dee788c9d85dba90cb242f923f29a46e6052f96e071e68810600120bae39942e483b8554a6f2c845277e93f58fa721400ae767ca781f4b8193ec82c6498

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.9MB

MD5
828df8458c7057b7573bb7b693a33467

SHA1
d1b6e3684ec9de2ba4fea5cd7ee1df2b9ac5ca93

SHA256
8d03a273ea737b4f79bb34b2fa0b5cbe1ac0959583bfbc75aceaef2bc74434bf

SHA512
e4e75f9e49b2ebeed53fba08fd3fac3fe0bac38bd6747e9ef7fa519fe8eebe86a7a5cecbf1d311e78129c58437ca42c90dbacef76b368ea9a88bfd1f720524c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
2.0MB

MD5
16bf952a13f463bf98a5626224b101cf

SHA1
e31a6a9c4766a47adbd346fb92957a931d576ccf

SHA256
ba388cb051d65714db5ef6f783e691f7779ecaaa9338b1e17fa71fa87fd14f0f

SHA512
b5ffbcf8f106c02ba0307fcfd042c48d3e54e5d910795e72ae3510a5fed1ea69469d06354bbfa1136f73eba8c02e67e27dc68a701cfb02680503a5b62d413c9b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
186KB

MD5
bacd0146769eaf5060ba5105fb54199d

SHA1
71784dcb7b124ebff276f01c65cb40db0b72d37e

SHA256
3672f9c66302f475fdedce15d4979130c71ff52a4804b0340c75b0d1948a2828

SHA512
6fd2a8554b8e22577c004543b8966a1cd2faa4901ebdcf232a143c9bca432e1a6998e95d8bb4bc5a6c081450f1dc1e3f03644ce634516a1b852f8d8185169895

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
3.6MB

MD5
fa5a7c29473dcd518b4188c6ef289bdf

SHA1
ac8691d247ea147522dd1d03fcbe9d5d48bb7ccd

SHA256
6259ad178b1a76bbea1eede13020f8e74fd62b5791a9bd521ac9aa6150d23483

SHA512
0987525670a983ad27f7f7d11946a1a003a0e9d39007642019f928967280181329e3faf748b227b0f8dc934d80c3066882f924d864f53d4862948362f9d6ba9d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
6d8567fa119ce07fff4401d6f9cf5ecb

SHA1
be23bc934524f0b704886d98e6657c083ef0b992

SHA256
860cf2c2ecfa3e93d3e098a1c44487c0423bc12411362a066c73c1477a689270

SHA512
454df528437f77e63f455cfe4c1b1a084c7a757a3a599fae26f8d7ac55c945f436095486bdf9dcc69f1d438dfe7ce490e102c928c717321c68e35e0bcc4ca679

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
864KB

MD5
3ac00fe252856d3aae229e0de4dffcc5

SHA1
950d02b2c595e3312e939ce686a597f2dd489fd9

SHA256
8dd8d202f8744f9788f5bf9b38cd5cbac5b32ab2959dc6e04fc35836397fc59f

SHA512
be8b3fa078363f8261e798e9ea6d6a1270469f506cf701fb0b7754fb90ef4e8081f1bb4098b0881bba7aa7df2dfa38794a58aed7136a9a45e8eebf0175c044ae

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
44KB

MD5
4886371194f34058d7e65989a4b18883

SHA1
2f60f096af105893fbd0ef8746e2add3bdc023dd

SHA256
e1e3842c3374b8f51087c9c108354cf6f5cc9eb7218029d25845ffb5af202236

SHA512
63b4db606dcfd991317b5da5657833ca3331f2951637fc46920f16201f16ba2603f935ec69f361403cadc28d24267230d0eb6c1933c72031b0566dd24bdaf423

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
f3f7eecebcaa6cc58d574b4dd37ba4c0

SHA1
48fdec2acd2371b6b539237ee918d4be92d8718c

SHA256
58dadbfcf96c79253221cbf0e25550760d5a85e2a91fd85efcfaede089f1ce00

SHA512
2d51a14d4518aa14c704c1302190c61b5c3df0896b0bf5b9e59749593399518636f13897ca435b6609af388fe3513255a9c86029f5d5ac0d08a7f559ecf95f28

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp
Filesize
43KB

MD5
9c4c354339ef2ede32ee2d52b6ae705d

SHA1
97810f3ef986ec2ac303b59ab87e3f23ccb3a5c3

SHA256
9cb8861c51edbf9135b6714e6e55be537cfc064ce928c2d490edf525cfcae7e4

SHA512
aede95d29f7bd2df8cdd0bf5fff5d580038517996d2b7687018c07e94b4cb8f2e7564db69b1b93d2c047afa2ab3be110a64cb9c404159f7223527cac54e6f7c4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
45KB

MD5
44747c348b20c636f891be982992a99a

SHA1
5cd7fdaea1116c1c36723cb60c3573ba074abe22

SHA256
10deef1d64695f3f6877242ffdbb95764bde753ec27a28bb6b5914345c4a9bfd

SHA512
39da4eec4e032b3ccbc0bf660235652c1dcc550ef8cdea79f50dea5ebf4f0688ba19545822949363a140379c38a070f79ce56119d1283a901fed2cb3fb986b78

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
1b99c696602176f5b11ed69d41afd9e4

SHA1
ca4ff605bbc7dbba121dc1dee45d4ee42a682382

SHA256
32d9bbc7cd8b5a3a5a6dce6640234ffef5f7e46227965e25f0d289f986114f82

SHA512
798cdb4993ea3eb81ac271145d02a35d990ed972cd7d926b30c78c0f94a9a348a77c76a3edac629fdd4d171bf06310e5c7a9503e92c6a287e117564037e05a48

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
44KB

MD5
1ad711ee6dc6e3ad377d3873b77bbe5b

SHA1
90818dd50c0d759a991f4e55effbca6973e9c803

SHA256
2c2a87df1f392890d465bf4dcb1cc313deeb6a285f547239de7c87531301c3a6

SHA512
7a07a948ba7229ae87f7cd84db158325bc070989e1a0737d670dc12f03bab4e646fba93f5b0cdf3ed4513fc1b863e7821676839b59bd3a1edadb6cc83dcc1d72

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
48KB

MD5
d790abca181a256085862da9b5b877f0

SHA1
860405b1c39b33542b79b99c2af18f83c28ea67b

SHA256
cc0da03dbf8d7579738ee8e70f893a11ea02e805365e04d88b740444bfee0d3b

SHA512
abd86e6d195a87866fbd4c6a1d2d13dd37aada82b54166ed527200aad368c752f6a62ec9cafc460bb35557d157901f629aee55828c3dfe14d37f45c0ccf3fa96

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
44KB

MD5
0cefd6edab7a3893a9e819963af1c74c

SHA1
612aad2d8367eae32559035230c99db80441ec16

SHA256
760f8d002f6d7a1810672b3f76f40a76de06d59ae4ffcc9f42664a586ed5692c

SHA512
73e6b084ad94411160f9906dd92cae193aaac057e559b728cce5a236934e277e7a86484ae9ee89f8350c025db348624997e7acb0573facfa7f0daa75b4d392a6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp
Filesize
43KB

MD5
8feab72025173d5032e263cf7474677a

SHA1
8eb2094137b5a156e1ad665feb950b6a82ffed47

SHA256
80550644a2a3e8b79dc5173e4598ff0e5729245b9e64a36601b2784245e4cc0b

SHA512
2f34ebf975557cee4be3ba80fe5d7236d0390f17e242dcb7c75c9a2032a0063cf2ddb489d670be80718dbb043aeec595ea23df6b15b7376cb6909396621f5e9f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
43KB

MD5
564482c2c4d3afa6c38119cdee8caff5

SHA1
e09ced08146eff12af1b415c4bca35c1285f993f

SHA256
70e1f5dcd6e7c2b2a2c7431ed7ed9cb08dfd41131dc5d1fdd074cfe662a4488e

SHA512
3e3b1f809a482d81b37c084e953a3e863b2fcb628926d0e72b0c407ea50977519bf58e27897ac862d4b4f13f499ae9c13c90815f982e055a077a2e6f6cc017a9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
20KB

MD5
63f1c74032194b468cd8b4e798e7c432

SHA1
0ecb2946e536c1356fddf08a4adeb7a23b23b798

SHA256
3e70d4f3b03217d9c1dc336fb705cbde92ed5a8b4892d6a7a8a18dc3242d8818

SHA512
e4a4a6c6f7eaf168ca6cfd8df5203e8c970cc7678779f06b0dc010b3a3ffa6730834780f9009cf805281cd23bb381453afdb045bdc0dbc4e343dc182ad3ea316

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
7bacee482b55a4d1ad6b864f1b874cd3

SHA1
b5d5487d13053290f3d50cbfcfd979d9cdad96f0

SHA256
5ceba4f6f8d3dd43f625836cdb8071280b557183fec412a2fbd327ab229e51b8

SHA512
2ffd1fc0249e1690d6f10d038a7bb4cfae377e7b4844ab5dafc88499ca6c6a5f4bbc725bbf827309939e05fe8e952ed355fafb47b6dbabe7dd51576cb3bde174

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
45KB

MD5
87784ddfac423c1ab0df876114d89685

SHA1
96c3accd0aa9df0fef34e75d41b1acc1965f03e0

SHA256
79172aa41dd3478ba674a8e54497bd69110277aa3c4214caaecb4068f61bd404

SHA512
40a237e1c491b044d7c32e9c306d184b0fa83ec3a9802088215f874aa68e54ffdadaddbd8c60a142ab4b5af94542d3ce1103582eaf49965d155e83e7846c42fd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
920df05e514db5b57ebf93b3c3804a05

SHA1
8b4367aebd51778901203b72d5affada7a1ef8a8

SHA256
6b32c3150e8c4907ad6e867b8b1724e07e9539d07567cdafcdb39c97b5809b41

SHA512
df3e5760a551c24c950a8c38a47729b28fb69c74789e6f533310a87cff73b69f5d32b56ee5d54ff5ca9d62a200d40d79e244429c3de4d26f0d2f5efe04ad0bcf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
1.3MB

MD5
6239c18f4c475a1c5946b7d5d1ced6f9

SHA1
d237edd3e321335457fbe5ba1f36ed3e1b073345

SHA256
12dc0fef0bbbfff6fc75553aa31ff30876ef5cd25c23516d3211315f9674ee3e

SHA512
5a364749ba5eee0efb54d1a1915b934cc99b989c4b37fa226f41793fe0e231d1277e9a3691e668d22decaba07e0c4a25090bf860cb3a0cbe24e8d52dcc2895da

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
682KB

MD5
1f895c8e484a2215da3e4118ac3e58fc

SHA1
04b6107d8d9556068a6a442dfa54372397c2d49d

SHA256
63987193ae359971c021c1053988c02dc15bd66bc0389a635a7049c6890e17a1

SHA512
12c85d78f0490f2e2a00faa39fd023cb3cfa0bcf62ba6fc1d7973386c9d38163478e439e76862fdfb1112424f82780e155b409effb1888e298d94495ecdd1b79

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
48KB

MD5
544ef1ad21691632e76d21ecb7dc4d88

SHA1
1eb9e4e424c9e774d10e446ab2778e444acfbeb3

SHA256
2b067e2c724a95c9db2af34d6b41b8b3d8394fb5c07c87c8fad6696bfbadfa4d

SHA512
776595f65e08212ddf92e2189318b88002f92fb48459a6a6149cbe389198249b92073955734b64e029ef1236a85336d3a8a503f955650adcc76ebef022f99886

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
12.6MB

MD5
09f3a1b7647948372de706bd0e9a3fea

SHA1
0635f0cf550a21e6c837a87c93bad0feee0c9022

SHA256
d66c10d0481dbb915cc5c5bda5e9d4afaef98ec6ade9f17a8e9122c46136f5e4

SHA512
5cf6a6d673776153abf7b869d03d31bebe487439bb8e438d5059024f6916cd6eabef31f72bf5e0a5aef0e0151c8ac57227e0b4468d267e72b1b1856c8e54a4ba

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
616KB

MD5
1f502cbcade4eb74c0452eebdc45a396

SHA1
c7ee4305d8edbb14fad97eb62fedb17a21803b5d

SHA256
fb9505c75c19df3cdaefcb95033bde724039c9010ab3cec78b73d2136a5a1ffb

SHA512
bc8dca927427beb15e63c6ab8a4acda28f1dcd7befa9903c925fd2aef2c6fd937f39c1c68e76652aaf62e271cd340b2cfe93ccdeb073e79353502b6994d5972d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
19.5MB

MD5
5e0500b73bfb9c6d473c88a0968e546c

SHA1
5506db7240edc64933c8d0dbe862ccd4490855b4

SHA256
4ec009ab7bb5fd77c8d90f389e6bc41ca1528896c75eb304f70f8b19f30dde5f

SHA512
1700bdddc1c584d90326a1268b3cb4df3b273e668dc86b9eb9686e51f15d0772b5bdd31946f55523038bf0d676a72f7e30bf01d83609325d642171f5c656fbbc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
692KB

MD5
6b09604efd19306dc8b97af102d84624

SHA1
9ad74267e8f5bd30baf5921f31e745aca500f2ea

SHA256
cbc1b265763d3134fc7a219d2eba824919dc93fd1d204302f6acc527823ef83d

SHA512
7d5b47107f7b3a24aad099d75fe9fbac4c11ffefe0167eef471b51fb6f8418b70abcc4fc91c15642220e63c30de9977c6913c11ce887be04409664db4a162e9d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
675KB

MD5
fd30f1577b6071ebb92470c63fa3d6e2

SHA1
8693e63bc82a6e37bff0e5e1a51bf0e916cdea8f

SHA256
e762698e1a2a2e6a0a8dcadc031bc2ccfb42bf3ca36b4f696acf264c96d78296

SHA512
545ea1133a8351ebcd1cb344ce24bea1dc6c8a4dd6854fa809e8e2f154e35af0bf063dca6a0d43a566a6822d7bb4e9b5b582ca6b6b5be62ed15ac24c705aeeab

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.3MB

MD5
92ea10cb24366c25acb98b955a94f59a

SHA1
e095d74180fe2e55187b00288168dc03d8ec5a75

SHA256
6ebece53456bd3fd2391f1f8255a0d94a4a2173b7e96bfb5a5b32d7496b47fbd

SHA512
10d8c776d6f0411d6b2be592047e1fbb67379be57210d20898c20b2707d4d363d2b47d0c43ec6d69c484708b621cbf0fceef997ff0d357e2d8c5b92b228f65c5

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
8KB

MD5
c91247a971e3919e0af53100a19aea97

SHA1
a21754a2ef607a00071c356dde9d595b8bef94bc

SHA256
9493b95b5b5ff2ff6472f7000a50587608d0b481eaa3d02ef4636c18d20c172a

SHA512
92b8c6bca6916849fc30b47fe6f60d15205ce796973fbbb068671584e570c4f571f8069fce266294e6fc68b794aa2cfdc471114d7b692a997d35e83f8f7afd7e

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
3.9MB

MD5
60b07aed8fdf1b6f57c7038cecc1cdba

SHA1
7d6827b370c3b1de87fabfd616d171dc3cd6d995

SHA256
464ffaf20084995aa81e030a052877e17c89a47c3fe3c63d8ce27d0d8b0d13ca

SHA512
65db64aff4db7ff4493f7b80541811d7c19f179a1c422ad5ac6957d7549d7558a84f44fcd58368be9e7ea2e573d0b5883908d8ad2e8fb20e90082a75c9d0b07a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
2dc9153d3c4623fae73468bd93590836

SHA1
55311e69d7511b8a6381265ed76ee2f5a592c16d

SHA256
352528f025849421e346743a15349b1c41ffb685251764f539d373dcbcf30429

SHA512
f8dff91f46a4cdb467cd91190e0133bd9ea10cb8134818224eda27fcd6f196ec3951a79a7aeec2529a6b242466c178e7c34ebe3864461699dcda9c34507729f3

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp
Filesize
41KB

MD5
4d8ac5de9a8689e949954d9b9e622429

SHA1
fde0cea7932f13c782977dd3ad6ca9ef1eeb4023

SHA256
d16f164e46d71fbc63180ba9e89cbc3c81312c2fca5af358dff429ade8c1c813

SHA512
e6c352e2871948a772a3c63280bdadf009e6de715059f8ac95914bcffd702c1f7cdb3254bdf6152428f2cc5a50fb9e6ff23e463219fd96de4c88f99bd0f48844

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
42KB

MD5
5f18deef1f6596b0be4b44ef40db3025

SHA1
37f833ba48c91d2dc67ff8f42d9417073c5ce4fe

SHA256
5a966d57a4b4592699a02d0cb5cf2e2d83d1a63525c7e184e853a05e94179a9d

SHA512
725093da1c51b3827646c80ce60dceebba725df664260ed0071fb4891b02530a0c5e4f4cc5228aa4342be1c7f330533e1ba122ff78283e2dafe38dce09a95c01

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
42KB

MD5
00ae7800c2c56743034c5bafce9cf13a

SHA1
8d08c107588754aa54b0b52c728f957a9c9383bb

SHA256
c4f470d9f198176e6289182857d4a656c906b6871696e5b7c4c1a366c317513d

SHA512
e71a54eaa5fc956b95322ba5f3682cc52a25e14c42bc4db6bee20d6b2222c31d48419d7239998330eeafa823b31a0907d69c7f598083120065042dacba2ae07b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
859KB

MD5
ec4db4baf05bae9ec4355e1dbdd514a2

SHA1
ff6cfe790b2e21007454e2912cfafe5202364f17

SHA256
486fb7e07ac43e0304eb2bbb165ec05c8472e9ef67ab43f35cab6b569659040c

SHA512
53e6293d4356cd5a23335c4ed3f7fffcefa61086b7b9c16dd314178294d52e2b70b00f285616af3756efa9ae485b811a66f9d419a839c229742a4480472be2b4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.7MB

MD5
c7963b7af23af7177955fa1615a4f18f

SHA1
94d2e364fa03f324457fa22557c5d347ef68705d

SHA256
55393a6842cbc072645f51cc450bf64a7ea2a82c3a4ef4db0a7e8dc16cde58ed

SHA512
40e345690c0b1d7ca54ffca17cfdf0f0a314025f3f3ec89bfa31df101d446c706353846aeacbb46adbeb7e3e06a85f5599e962888fcb7e988ee61c1ee499c918

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
4cff17ba7843921be07c2610f6f7a3a5

SHA1
a789c5458c889992480249e62c18d96c63ae95a0

SHA256
a7871148e1e3dcf3d05a840933b5f11236155f1d702f93f038bde8a09c7a91bc

SHA512
5d3331fbfeb69806224bd31f7ca23568e65c0c2e8e373febd4cd86cc6bf83e4de16a5f64de1a5f83d5b1483912edbe564eeb2ef3a5704b888562de891c8da2f5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
927371c4497160c8a4d0f8f105017f5c

SHA1
edfbd35778498c139835b39b350f4d546bf8a755

SHA256
dab58b53bb7019f9409c56f98a0ba15a9c9170d10e4262096cf57d5bb09a4c3a

SHA512
1d6d0a264c34f30260031a1e2038599a536ca96ed2cbf11877ba24613d28847eb75cae2c660dc90b01931d2493454193f419d44352922d6253368ff362bd2193

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
675KB

MD5
120ac8f0ffbb3b1717b343428d7ae0a5

SHA1
d824dcb1fe5d7eb371a3059e910f2d0bba4b087a

SHA256
51c3177b738e143e43871444092bde18892ed577cb9e7ef78aa0d9d6b88843af

SHA512
007ad248f64d4a0850dc13c83f5c6e8d6b45230964370a5072b2f87ec639d241d03d6ced5dd96eab41e6b16f7768f57b1a51869044a9bdfb6e06bab86ffe0eac

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
50KB

MD5
8ee60f43c111f0a6d1d0c6c68d783569

SHA1
f1c7e04e2839d799479d21ebb05bffd36f76606e

SHA256
76f3991937c3653feaf00cd8f6461b5d0f215b66314e693f6c8ca4dc178e3eb5

SHA512
5dfdc49e22da35bad2642c520de061bbd0af992b96b0f6ddeb4f374801814e2e0b2dcc5f7022bf88090c0ab0fcae461644025549a965b5268a62549a69c1528c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
47KB

MD5
6e02475444871e33fa70a2c621c4dd42

SHA1
9ae64aff01238ba19a45db6ebe178174be44934c

SHA256
8eaebd062d475da54c70bfb23d80eb43795cc54dc6ae0f8a1db9dbfaf0e2c49d

SHA512
36dbf4f8f7916361f50643a3eaeb37600d50d3972e8fca4fa91333081ac527da57b5e423526ed4eccfd8608542c9d498afa35aa578561d56cde6a9b2e6b8db1a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
623KB

MD5
ac9f434b56705d7780f7100394c976e9

SHA1
ae2b3cb7ad51e1340180f2f794f62e01fd73f9a3

SHA256
e55d8e91a8ee01b9aef57d12b4333ac6f474a61422b401249f6c79e55901f412

SHA512
451b218389b2bc91d734966c8189c219b2478f8a060d20d73da22b7df240cc89ecd4dae023de8c306d140b8a06118bf1a3bd26987219e6615ef06d52e17301b6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
554KB

MD5
0d7124c48621d3e4b94c13cf97f0381e

SHA1
1dd207315fd05f02b65292d6670714a6ef7f8fe2

SHA256
e4bcc34c050ab6adb05fa1b6b7ef856c1387ea8a4869be3e3a881b7735f8dee9

SHA512
af683260472b55e3179fdbe68f02667109bd5576c2d801ff247c4acb22e97b90b3de0cdc61b97809992297ea078495870bfc15e7068d6c92a06b0cf397092c61

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
548KB

MD5
b2c30d974a31a96c01b386762387c187

SHA1
56f2500ee222e898e0b6a6a22cdb8108fafdb56f

SHA256
912b50c3785fa282d959db0d4258f68376d2a34f59935c87a5e77d33d7315346

SHA512
882d2a5bed1b691c6e9579e0bf376344d2f8e54c1d63113a9041880a53fb9cb6245575d7b949eb3d28cf44bbdd22bf71248fbf29da2b0271d1e04ca87f5c9323

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
681KB

MD5
9d22bf6fbbba2a55c063843b2f20226c

SHA1
b5d7198d5e2b3dbf4d62069219c6267035bd9cd5

SHA256
982ddbffb2f33c4d5700672aa363b3b24973298984515897bf01dd1386e6ce45

SHA512
93dd7b9c4326c2b71e8fd4cd387bb1b45e1c87abb6b1fa5facb063b9042e9b2431210e9705bbeec3f25562d378a7cbb4c7c33e126beab5b5835518ccded060a5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
228KB

MD5
703a22167e4643ca2839f826cd10954f

SHA1
d8897eb9184d910502b0cbc8df98a7d173abb6f4

SHA256
393aceaae67d9ae1618f48f073044e7fca8e7f4662b162cecb60e830889f8931

SHA512
ab553dc63afed5d9e244601d9a68d10d8eb0586f35aaf277221ef72505fa6896a093f8059a8751b4191d1d7c9e2bce54dd82d2bd3b12f72fc57929083a55463a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
679KB

MD5
c7df176e37b271a74c75bf5011619892

SHA1
b6875dd99a2fad4b0fcb05dc83921426905ffefd

SHA256
09f9585ab4bcc912ba27d21140c051b9b7c97befde4283762efa5a8366d7d527

SHA512
1762c5c46f769a3855ba602f22373c9d68d27430bd6248df1062e5002e5fff271a4fc0c6adca9a93a5b3adc0d20acfb1730b668cc0b40089322d18a62aa9897e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.tmp
Filesize
44KB

MD5
7db2a8a62440405119fea562ba6b4cbf

SHA1
fdfcce481535d23f041b1bb40a8a1e44d0feb210

SHA256
7e5437dcd077d243121c47bd0e69bec575eb490ac0d8f70f3c404ccde292ee89

SHA512
81839317369dc3408f16b5b65cbd0f8938ab2897eafa2df90eb2f3b1cdff0b4422636936c84382eca39cea595e74508ad0bcca9a17ff7ad71a2b8c27fee1d925

Download Submit
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
Filesize
40KB

MD5
56220fed739895dbae2e01dfba7fbedf

SHA1
9718a36c2c3ad33a174513f96ba33812d483bbdc

SHA256
354cbe6563a7d417aff82b5b4d1bf3cf4d1a302b8e3bd8eeaa0de6233ab22f53

SHA512
7cb1301fb079a0a8920adeb048a869a328462f04eec431d0cf575cfcbb0543fb509f62399b94d32b122855204355b3071013e4812ce99622bd2328fca2a043dd

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
39KB

MD5
fc3364d8dde8bbf8cc64c9dccf258eb2

SHA1
e78d5cb5d9acea48f39ae7523a63ee3002eabba4

SHA256
a0fcd4b6a4a28f567a29ac398bfd3cd535d7022bb1d5f4d1a90de1fec0c948c8

SHA512
4c4d48e49a08d233d28869e9b5d1cbc4572da19e5980f69f5186cae6845c6a6080b3bbfbaef8e5a22ed547c90ce3e29d0532c36f0078ae4ad9819123418870e7

Download Submit
memory/1796-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1796-12-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1796-1451-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2396-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads