8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
Size

104KB
MD5

0238cbecd6d7dd2f3862916583bf27e3
SHA1

9e4a2d779425e96d64d5857bf2854730cbc7f177
SHA256

8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53
SHA512

2490b59c43a42d0ed4a6efe93e754a43fba9108524cc48eef586388b68ff00a5723a94425b9098f25dc6635dfb4969d72f0c21a2e0fd73a322b878c0028d1832
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8yiUTWn1++PJHJXA/OsIZfzc3/Q8yi7:KQSoBQSo2

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 50 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_AutoIt Window Info (x64).lnk.exe	UPX
behavioral1/memory/1972-7-0x00000000003A0000-0x00000000003AA000-memory.dmp	UPX
behavioral1/memory/1972-6-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	UPX
\Windows\SysWOW64\Zombie.exe	UPX
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp	UPX
behavioral1/memory/1972-31-0x00000000003A0000-0x00000000003AA000-memory.dmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp	UPX
C:\Program Files\7-Zip\7-zip.chm.exe	UPX
C:\Program Files\7-Zip\7z.dll.tmp	UPX
C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_AutoIt Window Info (x64).lnk.exeZombie.exe

pid process

948 _AutoIt Window Info (x64).lnk.exe
1720 Zombie.exe

pid	process
948	_AutoIt Window Info (x64).lnk.exe
1720	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe

pid	process
1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_AutoIt Window Info (x64).lnk.exe	upx
behavioral1/memory/1972-7-0x00000000003A0000-0x00000000003AA000-memory.dmp	upx
behavioral1/memory/1972-6-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	upx
\Windows\SysWOW64\Zombie.exe	upx
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp	upx
behavioral1/memory/1972-31-0x00000000003A0000-0x00000000003AA000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.exe	upx
C:\Program Files\7-Zip\7z.dll.tmp	upx
C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe

Drops file in Program Files directory 64 IoCs

Processes:

_AutoIt Window Info (x64).lnk.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp	_AutoIt Window Info (x64).lnk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.exe.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Defender\MpAsDesc.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	_AutoIt Window Info (x64).lnk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.exe.tmp	_AutoIt Window Info (x64).lnk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.tmp	Zombie.exe
File created	C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.exe.tmp	_AutoIt Window Info (x64).lnk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp	_AutoIt Window Info (x64).lnk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\Parity.fx.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\WET.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll.tmp	_AutoIt Window Info (x64).lnk.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.tmp	_AutoIt Window Info (x64).lnk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe

description	pid	process	target process
PID 1972 wrote to memory of 948	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	_AutoIt Window Info (x64).lnk.exe
PID 1972 wrote to memory of 948	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	_AutoIt Window Info (x64).lnk.exe
PID 1972 wrote to memory of 948	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	_AutoIt Window Info (x64).lnk.exe
PID 1972 wrote to memory of 948	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	_AutoIt Window Info (x64).lnk.exe
PID 1972 wrote to memory of 1720	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	Zombie.exe
PID 1972 wrote to memory of 1720	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	Zombie.exe
PID 1972 wrote to memory of 1720	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	Zombie.exe
PID 1972 wrote to memory of 1720	1972	8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe
"C:\Users\Admin\AppData\Local\Temp\8e864249bb4821e633374d2380bb22ec844be328dd476d62b7684394a3dd7f53.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\_AutoIt Window Info (x64).lnk.exe
"_AutoIt Window Info (x64).lnk.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:948

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1720

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp
Filesize
104KB

MD5
d7f6db5cf73643bf4a68a2ff339e12b7

SHA1
2ecbd33e9ebf51da00c17ae3f9937b97051a48b2

SHA256
fe35a26ccf5b0127232aa4cd325b1f5e9a0a77bc634fe66fd72e30202ac5277b

SHA512
ed73932544d3e6578364710aa1adcbdd7c15ce747de536b3914a0221448410424206bf05262228224dc4715fede9b62fa41497b0b21d426c8541ecea3d09de6b

Download Submit
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
Filesize
53KB

MD5
650957ee4ed41b7db9c7dacc55e247fa

SHA1
0e8045f1190f659025944fc9e553b067178333c7

SHA256
174fbf914759f7438daefd7769363eaa865554e7fecf82ad6921064b33f6491b

SHA512
f43c2c61eda377529d8afa5600264bcb6fe955f0638393860cd1b713a64c349532d1aba0ff6df6cf6501550243534ce35a043f414a5e0a6563e32610609627ab

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
5.2MB

MD5
d130beaaff563d5d0ee8fe64a5702db6

SHA1
e356ac949a69cd0a32ecbb2d1e3418b639521e8c

SHA256
6b1621333beccf1053df8e669684440dbe87c4212953512387fd4751a772fb3f

SHA512
6be729191efee15a141511dfed9c6cfc8a41e45c001490f8c0f21de260fa8e4c89ca2978123fe0f5191f63c40cc94b548c1a2b4383b3cd316293b7fa377a504b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.9MB

MD5
483e5eea5bb2fe4d3871bdae1e417a27

SHA1
9b8c144b67a7eb4cd6ef8b067b10ad0175c42fcb

SHA256
a8162ea221e05143e881beeadde8182440ba91a3ee6e8da9fea6220c5df36dae

SHA512
86f2f356c4882344e95641057d08aefb93ed8d9c3fe9a5fa32ea92d206926a7e3fd42297fddca88706d30dabba28bf7ab37ef9645b803cf9fb9aa670925ea46f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
2.0MB

MD5
9afd7ec465249b60e82fcf3f0dd1bb6e

SHA1
4a56d84be81c5c3840d929bc98faa2ad4cb1e6c2

SHA256
60090dbffc0f298cbbe1281d5198e47f8e2d5e3f604f08a41309fba043646ee2

SHA512
b00d6c3ce4ce67e20550f1c4c4644f377dad9c9e130c0abab862a299beb0cf055766f78eb943432761bf90cf43c431c64b80a8e359eaf4e1297b16e62fd1d088

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
199KB

MD5
49c757b1095596e0c6dc990d435bc534

SHA1
a05a2cdd3e85051b7af75195142d9e5304489a94

SHA256
0ed33ddd7a900269da954027a933d892d4311ca0e6d2407c6bc1424706e7737a

SHA512
fa18a0544eeb4713c284989e6a91e62a1d9ad36fde659a847a3faa13e446198470233b44a898e00da87b00a532c1917e21e5e9292edbb243685c08988060e04c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
3.2MB

MD5
ca40cf5c6c68483048350f2074087528

SHA1
f4591ad51ae0a57233e135275fffe009bcf026b6

SHA256
2ebd42b65264ab13275ce4a58d7555a51f695e2c10d5efe9a06f5394b69258a6

SHA512
902eab81b22e766ab460cc7a114fb5d4442e4ec6b3c8d8a2e5a69b200fea23394bc1f9d95db65caee7cfe506d96c072794175e189e00f1c66ee8e346e0dba8ce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
0aa75f2365d7cbbd01a8c5a1f1d0e966

SHA1
839c8a03ac2be3df4f751ea5df2ab2b6f772709b

SHA256
4373824bf9bc3fa8ffa28a315a077c1e6803420b7a69f7800d3563734dcf0c0b

SHA512
cc64988ddabda674353938ccd1ab0805a480f6534c081cb9a8c626447e0ad67806c6b00352fc5c0837d1796668e3f8997f9ae6382a33b40a9da0696f64cdea9a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
56KB

MD5
95170b625261a57e3174d6686db115f6

SHA1
32f6fe50435b3b49f80e8aefe84846d7da84d724

SHA256
4a92f021495397bff5e067df02c1f586d23400358480dcecdd644ea7050bac33

SHA512
6efb31715efb0ec662da6dc8dbc73d3724b69a1157a776d0940204beeb31a9227b7911489088ad0dcd2e15cb0a6f2b1a013d4e1624870a1948b2ed04afd0a38e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
36e057eb401bb5a807f026b6688f9220

SHA1
2870b6a4938ed6958ce88652e91f274109a35480

SHA256
6905878632bb641565cec57e537592712162e8860cbe77c6ba7bfc6a5ab3cdeb

SHA512
ef0d32aa473b41a22bc8298012ced20d74f091fa925d892883f8cb57d0ab6661458d98372ef3cb399107464dae4c3268e7c5ff5ec4006bb4d4ca70ca46f6e51d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
dfec9f409b1ea016f03c0c5cfb4235bb

SHA1
6a010255a8f74b41788efa80291969ecd588d053

SHA256
442845ebc6020335fe0ddc5aad90aa581e7ceb30467340d8ed347a4f44088fee

SHA512
7aae15515bb33ca41ff62d40db2472dbe38530a51243163ff5e412f0e01511f8cb466537e067c000b9679c6cd4db70e35b018c205bb81e37f602dc2c48c06965

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
5.2MB

MD5
8747c060c4e897e3d5b42adf1d751c4b

SHA1
59f5849c556079fab503fb44c912c756ce7f0081

SHA256
ddee53dd423059f5e6bc5e6b171868479731899e77cd2eed4736a022d0b770ed

SHA512
901b69d99f80490f2159f15ef5ccd33be16def21146a8e75e0b4c63c6395b499e005cd006cd66dc5f477d8ed210f3e6fa965bd8d4e13c5a4c0f2c0cdd15d11d7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.2MB

MD5
9dfcf0e155ed0f5a7ea48a90c94a125a

SHA1
544744ab24ccd95969c1bbe7bd10249fab694a03

SHA256
0deccac3becff3b50246cd77901e99e5a265f7c70fb7416a07bddcef548454cc

SHA512
ec55438c13dce012fcf33cde3e1c84513c015897e8454fb6a56c083b171e57a440edcafcbe4bfd017c93ff3fa385a7c07333782696d32bc016aee7c88c9e0cd7

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
58KB

MD5
d7ecef4e7d8480020db9fb8a35f8c2c7

SHA1
3591cc0d522254665105b87f4fe187b008f072e4

SHA256
b8ae3a185d7cc983dd6f36c559a5ded1757d3dde7a651b17c0a08b25345cd077

SHA512
42a0a2134f92d839c0159135c97f95cce11cebe34cf02dae4010d005bd0bb31bc88f51467e38e9c64521cfd631b6e20e346e3bb0d4f5672ef60842175c324db5

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
916KB

MD5
64254bdac98b5f7b927b09789b46e476

SHA1
61f6c3b628ae47cbb18d580169a92b1b9455e56d

SHA256
85b91c2fd204e42cfc751a75f5b62eab3719622e385e19e923342e0e1e0eb430

SHA512
48ce31697dbe5c9e2aaf0a6d20a6fb1a5e373f5b1942eb4665eb0a6c1469d6821aefc8625bcc190c68aa682bafd657aa0f6816e5632d78ac25348fd47870ffa3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
4.5MB

MD5
aed31c423439c66206d9ce377e3a3d0a

SHA1
308e315a009bf042958feab517e0404a5b9e76c6

SHA256
1ab14c0329964c25e98ad7adcd9bbeb51af5c85c50b8a92ade66301dd798a7dc

SHA512
20302007604f41352e9bab5cde4579dc9bf1c5566cb1acd2d23ae50c887da676360710d21402ef1cb928e1b3851a3c1ec4cd03dc74dead295056395b95488805

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
12.6MB

MD5
8c1ddb927d12454dd8244caab1ec062d

SHA1
786c17fb09a9f421e3f4f21aedddf6ffe54d8351

SHA256
17cb23112654c26013a00d3d9a256a0eabcc4958d35c075f2ca5daf886d49dd9

SHA512
a1a42914d7520157a9e7fb9a8296753dd8e483e70f662f6d78f7f41e11409445d9156c403870377dcdf3c7614498ab408ef24ecca7bc35bfec1517ac92bbdff4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
5.3MB

MD5
5944782ec6a208ca77c2ee1f8ded8b06

SHA1
9ae7baf83845f951f005b71430ad0fa382cffab4

SHA256
f00b1e77ddd89cb3172afe28ff0336a238d076378b061e6cc77e34d50d83a71c

SHA512
914712a129818d6a91046b0acc40d3b750e277984a819b527d883678f753fc20f9485e3b256bb80d68e22a8bfb517f292e98a538bdec3cbcd9f81f3280a4a44b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
705KB

MD5
8f64ea8afb17b2cca8fe6ee6929db45d

SHA1
6470898c9000f73852816c0755186a158b0bfdc9

SHA256
1c07a3f3611ed84af60181c9a7113e1b779114669f46d0d7c435cf0bc9cb37cb

SHA512
72c8023cf3d6a7df84a2cc2fe419c281150b203d6498e67d5909c217f40563e0dc2dc053c35b679b2771c6145e857a567d7b854778406edb3f46d50d664bd955

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
688KB

MD5
202aff0599bc35811609ea4c360678df

SHA1
772e5d10e1aafff0dd5195f91a7aad6b95aa54d9

SHA256
18d3c365dd78d05c2ceb9420e115cbca8354e9f1116b8186ab085acfebe2aca0

SHA512
01b5b755943e78c98b9fae1fc46632d581fd85c6f00399bdb3e5d6cc51f963df0feb0bbf4339332e3602db263d182b7fcb6220276d05b8810c9a12435d464336

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
2.7MB

MD5
46dabe2f7d7f69739b886ea8412f162c

SHA1
8606065b7f07a02df145be84492dc8a77bf31404

SHA256
98dfb850501b0a9ce9d0c6aab2db94a817d86413f8bad39c2435c4ddccb3b176

SHA512
c7e0aeca79b69b212f4dbde0917384e3576b166d2df8fae4ce35edb249114039ff6b6d92aec1f36e5f8c6adff30123535d7d93b5f6003d5e3f3ed60c2e85eafc

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
972KB

MD5
c05a9751e4895e9cab466cdf7a542e7c

SHA1
ff725d6bd65781fa507e15d2c1de4772c6b4eac8

SHA256
2507434b1ad2f399b7858f7311ccd440e543329e642d7d7bbc9bf0b67f628cf2

SHA512
e62c1543776ebbc7e38e6d269e30122c984489c11befcaab096ceb772f1fb451c5c2f1f38cc12cf0bab039e3e9d445d0da3dcd1ede7996922775452eadd59b34

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.7MB

MD5
ef658d7db6a4c44d6a93401b86c9aa34

SHA1
0c069e2554b910609175ff5b47300e2dfea6726a

SHA256
a39be31247dfbfb36a95e3cc85026d349f53e8f3b327fe9f161d3f6aa152a05a

SHA512
6765f2fa51b579cf663129dee8f2cf773fe903459e0b6459e68dfefe784e359350ecd58dfcdd33075828591e900c6de5154140fca28775438d2d89f72d4ddcc5

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
8fd757088c9e8a05ed26059f8c8688dd

SHA1
9e3fb9c33b5c2b0c0d9ef589220f57024238da45

SHA256
ebd9b5f994167d23d2bdd9f1dbfc738e2c42a898e4fac598eecf8289135f26fa

SHA512
e905562607fba37503cd310aa3cda791f29d2d75ec101168ade6c53c95d5f2df23ad10740d503c290df97637af365c5f15d38321380d6c9499f2f3b8ff205ad2

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
3.0MB

MD5
8da7ff728feafd88505a470a87d7c4ea

SHA1
62f0085d828c854f51a8ecdd4088b65c52b4e0d2

SHA256
3e0764dc7fffb3a27d8c4efca3051bad3a329647b21db809d726efa42a2859ff

SHA512
5ae61db6ca5fb2780cbcbf1e59f9e0591606844c6b6719d45e2bb7a6ce1f75d7d0da8c3ce6a223833b9d9b1411b80ae2c3667f404d6fa3c7ae99e2ff19070a9f

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
560KB

MD5
b77ad45a842ca33e5765fe1801e593ce

SHA1
512e164f41bba46eb5157e6ceb54aecccb07ef3f

SHA256
3688bf85db20197a1b9c5380bec0c8e02f45d6058a425fe71b871324dc2c0b2e

SHA512
80f0e8e5ca7be7bb90ac170f382e71a4c331f29818f4c8a8257b4d71a328c2003c9490765b0cd4548108199a8e1f85723b90c302b73f74e281d05662fcd2d426

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
e1d2127941d6880baa6a5d0b43f0614d

SHA1
0588472061fc33f66f1b54df31e75f17c204cfd3

SHA256
faf043cdf60b1a4d495f6a7afbab6f649448853d6d7c8fe012dc4787fd80e3de

SHA512
fd773d0c4b91e94b15c46e43baed49f7adddd72e46e1727732cdc0dbd36830ee050ec33a2e675b223e06dec4baffcbb54c532b9579b7147820643a744f3e259f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
158KB

MD5
a0b87196415be1c261353a582159bd0e

SHA1
3e0cac0235e5b2c204c5c1689a093d47c27fc122

SHA256
b5710a4d25920f3b6f065c24d85879aea45473b0e64da8b3c172d1d7b1dd40a3

SHA512
9595eae7ef8ab67bea1d87a366e0c6d68d86f92808dbc0e7b48411a772e2216b7763197fee67ff39eb86ba371c256e9ec7f5f6f6f417806c4130470028085aec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
158KB

MD5
fda72d9028313981ee3d968cf0fa9271

SHA1
24d6007f5ca81d0b198ea3acdbfa28e4d711f664

SHA256
dd5e8f3e6a1c751c6d76ad55df60086cdf0a567f8ade4ad670c789ad8a0c8467

SHA512
d0808e2bd36a04ee90f5d48f12df9c251e85cffb511ca3a510021ae5f3db86e78af75affc89dfe7ec88a2a8a66cf2397ae4db958714cb127f9192ce444076764

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp
Filesize
57KB

MD5
e2ce659bf4e4ddcf0d689018b7d6a26d

SHA1
3c66457d74062a576d653fdb0b4f42f073aa12bc

SHA256
6a55bf0f7799ff492de10d54f9c36976bfc8c946c069077b16fb93b7fd72e9e8

SHA512
a4f093e6b9054348dc9399e322c7fa15cad603667af7681212ece15b595b01bc57d4d8b1d9d344b58a84bb906f8311b83fcfbf8e44c8ec23478f1f869f0faf6e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
1008KB

MD5
b6b266789ca9dc3876edf045bac2cd58

SHA1
557f922dac7aa98313fc6f5bb37968bb488e5d7d

SHA256
294309e5359d9e550c0a90398bfa99b5572f7fd973a54c4cce1217c7aea9b4c0

SHA512
2e60d925ed50a4484d6a5b0e223e841fd95f1f5fe5cf07f0d95acf822a4f47ab16c4ef5bf6532cb3b2e1f800ba6c31abdb8e1b5779e583b7379c929b3df2f7b6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
52KB

MD5
490cc28f733fc6531b51fb1516a41e81

SHA1
b3c89a024089ec2ba24bfe86d3892f1251317957

SHA256
882660aa789d58c1a89cf8c28f27f04d36fb03e95319ba4a47f30be97c41e53a

SHA512
e6f34228d1ccf7cfbd2c26de58e60c3e92dfef7254b5077a6209ed4bd282e88d6e4b1289990974f01373dc80ab114c3ec11cbd787b0126561450585324f5df98

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp
Filesize
58KB

MD5
6fd3623621fa45ddbb88da1e42f145ad

SHA1
ca2237562e7ff5798871e84f712adccdb9ef5474

SHA256
349973ba28aa42288a4a268c51d2fbddce8e9ea1b9e99a60037d2598790604b1

SHA512
b7ff367f76abaf86f310e7b0cb987a4de2598e1b4f40a7bd92fd42cfeadb2730d670e58f66320ab679bfe7b3a1c18c6e6ec05184c17183537ef8626e167e703d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
52KB

MD5
1d18cacfbc3250e4c381097428cc8b7e

SHA1
51f1f590e8df85269f46d30c64ffa3d72d9af9c5

SHA256
a113c2e0a477a690f2a3e12c5dd6a00f518719147a0ea0363abb97f6fe59df83

SHA512
4eedd043eb46c0a3369f03fbfebb2df9b4316d67820efdd138a9e9fa43d6ae6d155bc4892ef900003191b61c0db7b24806c0ad1426670493fc70d339f5b0d5c7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
688KB

MD5
950b0eba3d7216b933af02fdc3f0ec04

SHA1
6495ac953533ee3a7a581fe65ee52d0756ff9c72

SHA256
8af87f60ca2fb06a09d14babbc1925c8cf653216269753c009ecc0da286ed250

SHA512
4e8a7edee6e0f75589fd46b3e26a52790647d71be69fa5746b8c5b4af0792599afae2bf735893b3f8bc99d22b284d9c7398dd455e6fc398d5fd3eff84a2b9d97

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
62KB

MD5
869d43681f9c82393d9310eca31a3a48

SHA1
f4c5c2fb98584a4305e54dae6fa605394f26a2a2

SHA256
fd1c09cb1ba4c9edcec4c004349c0ad5a419919225f6075ca0a78fc41840307a

SHA512
9ae819af2f3131713f37edb95afe541ff685db1a3e55ddfd77c1ee0d2eca382dcab24bb7adb6b9ef378644d9f389fec523396c346d3d732dcde4553fd8d8f47e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
60KB

MD5
dd20d7ddb53b2aed71c778cde95123a8

SHA1
83e39c83c235e7a1d57ed75448078047f01af619

SHA256
c714690418cd0e9baf43023a114acab517460bcbe908e01969808ffa61203a40

SHA512
99f7f3dcfbd0f92f7a1d93704a0f0c94f7d3a43d99eab39a5c7890ef21774484efd66c004d74662bb79a0cb3da769c9f75ddf579679b0cbc902db59a9c02fc83

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
64KB

MD5
0bd553c850ac7c4027d0d71aab11f536

SHA1
0afc756d0b20dda82696a0708641228708074481

SHA256
af7a73763514307f810a3240e1adb40a3b14927ad700168b3aba8f70acaa2ca3

SHA512
56a791bc7a7149c25559fc56d7b93a4382da7315e04a9bd326c97a1806dfed70c2af4ed1cccd0b1f1fe785886bf4c8ad2978adfa00337a90658dd06472eaf836

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
60KB

MD5
20004b8b3b433f36a0a9509fb28af99a

SHA1
b4b07bf88b662a45e899a5474bac0b99bc9f656a

SHA256
760bba991ecb0956f827954244787e84364b3e844078b95ee73f5d9b3d23fc8a

SHA512
c8fae905299eee9caad099d15c3f19f5260f082e79a287634933238246244cb4e30b3734c77d549f467b191a08fa819b11b23daaecf50250d9d957772d39bde1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
560KB

MD5
d26602942404def14cea1dea3e745b66

SHA1
9196e1c5762faf870ace95bdfa9cfbc80e393a8a

SHA256
a96aef0e9bc2d2f5de4f7dffa6d15206b5c22ca95f5ac045893a22ae7740fd5a

SHA512
9af489bb97140d212488f582f75e35916c11478b28fa07093b470a563ce5a87778e810fca555580d12a2e17ec2c6f00615dbb65f8371172780dc10e7bbab47db

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
64KB

MD5
883eefb1ced449cacd100914ee26327b

SHA1
5ebb05c411e85dcc8153f47ce703f4db69a6a097

SHA256
71e5c3e056332738d5ddeb7283f7f7f43a30e06dc5d20e5fa0fc92e511b88535

SHA512
4006a679aa7c80cbb8f29c02dfa50b01a1cec78e7c9bd51ab722448f7835dbd5ae62932d29751ab3da78911d50e7f21614d6bb254eff52bb115a84431674fb0c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
240KB

MD5
a78fa8ad6957e378ab207c4a9ef64095

SHA1
1649760bd6ded86ae8680dd2925d22f8cc4605ee

SHA256
13b9b90b3453610ff1240436d4074e541b983b4e484df4b4dcfc74fa1d06db1b

SHA512
24c2f6ebf07e089904044a4c2391bf251deaa54f763ab7f5e8b411dbf0bcd5f68ef36fb95d7eed15c3f9869c75c4c054ce66a3fbdbf6a2c498941ebc7947b6ee

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
56KB

MD5
0f4fddc2580e6797148affaa0460198f

SHA1
6c8ac4acadffbc78b0c1a07ead1a7514ec9b3a21

SHA256
1475e55106afa366c361e094d73d01ff35a56aaeda392526b7a8b8e141a9f6f8

SHA512
41f53b0c9bde09785314c7f264a327c16e0961c8494731d710591c006de9e41b454fc009b0990fc5ea7544434c4850a5739810959f1ed0d5d882aa4053f7b688

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
1.2MB

MD5
2485bfeddd320fd1ae8d14d54d60c893

SHA1
db143d2896fd9de0325089c2b38b3e94c6b53b77

SHA256
1d525f83c557a80c4a931e6f58b2143878d79ba891cddacec2a88aa1d016db22

SHA512
bd28b28622f79b1633d74d9637310f7b0909828fb2e253193a645f6dcc40223ae8d8a4e86b07859364d818ccdc6a7e83c28e80255698dde3ff74abe6fc8bef0f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
60KB

MD5
3a63377d405e09ec3c515da3c83da79b

SHA1
fc1dcb542ce6fc6e159aa1ff5c880ee6e2013dc0

SHA256
13727125e1b837eb1d89f920c7c9b469c142a770c7d9910aeec1920bf677d129

SHA512
d76dafa6e86105c69e0108dc664fa8d5606e6fc7ef56e0b622b618d4ad89bc86f343892aef8f3bd77d7a6a2dbe81cde3439b1024319c8841f6e7d6fb21f7da82

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
691KB

MD5
d7b4327191ae49e6898fd2c8be23be41

SHA1
581adf12f6f0e40a71cc6dfa9ed72e31950c5b1c

SHA256
e3c5bb1b2d97ca6b189dcadd4aff84a8b0c37b9602a9d367562a1362f7953ec9

SHA512
32e664e31cbc8e5f21e07baadc343ab0dc3ffd0c28b63ed469dc17a89a1141974799e36b753150fe06c7f93143ba5c2c67b0820141f12ae1fe899cb60d6fd961

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
688KB

MD5
724e29c66e0cd21398ebeba60d7041fa

SHA1
17a4d3bbfd5b39395aed59930518e39009792fad

SHA256
26ac2fb243975c18176cace3a0bd4cc689c7260ad162e98a02156bec58b47512

SHA512
b21fc65c916090c3c9faefbde6016a6b1411d320ecf2bcdee8bd3fd9cd76dbe5ab370e3f248a405f6edd5eeeefd7865092fd2bbe5ba92bf24b2951654e1a0814

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
Filesize
7.5MB

MD5
158493e0962111720818598f02d32384

SHA1
b6c02ab7096db25a33d54dfedea6b4d62bef6d77

SHA256
ddafad0361f34729ddcf7e09071451fcb2cbdf3448a9b9ce2175499036a22422

SHA512
9302b0f9599e207e2eefcc906fbea5be8ad3774c26efa5b14097eb792c4c77f6e35eab9f630244518f2ddd9b396c7bed8d684f62c4f8d70ae96537c1b2572ab9

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
Filesize
1.2MB

MD5
abf158bfc4ca8f908c169901db1aadad

SHA1
6f0ec1821bc355c9cf648e0e88027f1a4a3a8e44

SHA256
b06cbf6b0ae28d6437319067c7b3f38a7a1fbb50f96910c8731a49dc3b471b51

SHA512
4a2d687c8ee49c76710b83a3f2e0a2095624afd2c3d9e8d4a506d726e79c1b92e8f564e5e2ecbdcf1e819f9da9505372005fde8bc4b9fb76a7575cf9d132d5f9

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp
Filesize
500KB

MD5
c553923748acafacdf27a0b1723301e8

SHA1
a427e9e8f5091e273262b7fa6e7bfbf9ad271eb1

SHA256
d8c9f1124f269d5f49fa4fa7061c4cbc4e12c4e60b998e02d05ab2bb27469676

SHA512
38317231cff9734581cb45e54e95329c57d8fc92b439a953396c25067d8fe534aa4d4c5a90604ea257864504e73ba42723b7ad749944484baaca80d10125e982

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe
Filesize
158KB

MD5
44b77b4f7fe06dac678bc26900d9c54b

SHA1
3f10a121f334098e928346798e616080ef276195

SHA256
2ec7680689da629553c2004671d6912fdb2bec0d467284ac08462bc69db433c5

SHA512
ff7743412f0e9c27af2a46ed744ebd27b17223dae5ff62098bff591789d02e6652fb14b6593de03d2910cdd4c1fa4d61f9e41727261ce3310bb20d81c198d143

Download Submit
C:\Program Files\7-Zip\7z.dll.tmp
Filesize
56KB

MD5
fc7ec3764f34279719a38141fadb5333

SHA1
38582e03e88e279afce198fd05438e30355b052a

SHA256
050e8d39f2f1eecc456f43ec5e324b7b6e6e8c8eb70dac61158ac431fe66ad39

SHA512
5389e830d9f9843f6ba3491375604ee3b552e995dbd46f6b5eb3bd819bd87023a7e2dc840f63501255e72808451c991ab393c246d12b37bcd916e8645613b52d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Africa\Bissau.tmp
Filesize
53KB

MD5
c92fd4b160e303c8f478cf15c776d313

SHA1
3bf361aaacfb96ddf7c70ac17b9aef54e193c8e8

SHA256
f7ada9ac0473aa3febb9dbc3772758f342c7f96d6140f47873ef26efd7e90978

SHA512
779bc45c272013c7fa5ff44493fd5ceb6efd0f09dcf98e827640193a18434f0b8f7a6398c4339b250369b6b39e94ec680ae5e74b4fe48cb086c6a4cc4050f1ff

Download Submit
\Users\Admin\AppData\Local\Temp\_AutoIt Window Info (x64).lnk.exe
Filesize
53KB

MD5
9022d9702cd49ceb4504d21b44a68203

SHA1
73a51cb5655dcb03ee35133db295bbf051da8863

SHA256
de6d6e2213d77e45f3883d81583de74522c2fd1e723a2cfb6fd073fe25cbac9f

SHA512
00ca18581228854285fe8ad8691a4755406b0211536a072d698600f257d124ab75b19146945ff10029b4832dc79026d3372cf349a1001e97e7de88196d1fb2a0

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
51KB

MD5
45b905d08c6f7892d3cab3726582c8bd

SHA1
589b8b70a38926ad11428e4f7b7f21e2cd751d87

SHA256
69d6a0037303257bcd7e3abecaab9e7abcb43f4be04500e6c4cb1a51e532c959

SHA512
2f8914f4ec48036cdbc653b75241d513ac2a8547cb5c4d1262243dbd3d5c511791f7185ff602e28c9c0cd760d32c68994d2c8aeb188785d73e5a7977828e11d2

Download Submit
memory/1972-7-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1972-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-31-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1972-1156-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads