9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
Size

161KB
MD5

0a7050f4d7c4c91f943bade2538bcc70
SHA1

e2c5a03ad6e93e5180a21747125b418f4fdf809e
SHA256

9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c
SHA512

d14b557e249307a0c099426c7c03755914e7113ae320b37c39d24b7c91478f246c2a640fe1876b68fc8739c1959b2456acc6fd5575bbdcb62b2e8a4a0730ed2c
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBq:PqFF2Ie+e1qL1qFF2Ie+e1qLf

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_desktop.ini.exeZombie.exe

pid process

3060 _desktop.ini.exe
2016 Zombie.exe

pid	process
3060	_desktop.ini.exe
2016	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe

pid	process
2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe

Drops file in System32 directory 2 IoCs

Processes:

9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
File created	C:\Windows\SysWOW64\Zombie.exe	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe_desktop.ini.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\MET.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp	Zombie.exe
File opened for modification	C:\Program Files\Internet Explorer\networkinspection.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.exe.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Media Player\ja-JP\WMPSideShowGadget.exe.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.exe.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp	_desktop.ini.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Journal\Templates\blank.jtp.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.tmp	_desktop.ini.exe
File created	C:\Program Files\Windows Defender\MpAsDesc.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe

description	pid	process	target process
PID 2036 wrote to memory of 3060	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	_desktop.ini.exe
PID 2036 wrote to memory of 3060	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	_desktop.ini.exe
PID 2036 wrote to memory of 3060	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	_desktop.ini.exe
PID 2036 wrote to memory of 3060	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	_desktop.ini.exe
PID 2036 wrote to memory of 2016	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	Zombie.exe
PID 2036 wrote to memory of 2016	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	Zombie.exe
PID 2036 wrote to memory of 2016	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	Zombie.exe
PID 2036 wrote to memory of 2016	2036	9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe
"C:\Users\Admin\AppData\Local\Temp\9bc0d7af7108a6ca4069ce3774ccfab3b7ddd5f435d4106b85b4f6a06de0f28c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
"_desktop.ini.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3060

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2016

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe.tmp
Filesize
161KB

MD5
bdb68e5f86148eccc874d0699a4437a0

SHA1
1afd3e961b54951d57aa6cef678c3ed4fab3eef3

SHA256
08e3a34ea274d1d34f60ac1b1ae4735f7cb86bed9f23abcb4eae15b18b497eac

SHA512
7779dd94c4b55b1f618a0fa895dc45a89eb3bf747683800ff57ec0799a58df8f8860153563dbba4e835b7b33201f74127d92ba1adab08189efc0be1b390dee4d

Download Submit
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.tmp
Filesize
81KB

MD5
abc636fc2d6068a57befcc063a97ca7f

SHA1
d062c87654ee5e92cf26d9a75b299f58e0e1a311

SHA256
956b4e85eff88d311d517fd23ed672bdbe8a17c3a97680151e1107ca74774e37

SHA512
517793ac52d11f9b3a2dd070c5aa9591e436254e5c869884d33d3615e44004b9339c1c9e6afe86a8c25214020a1c1160bf2d2689be38e6a5b183520b685c740e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
5.3MB

MD5
000466bf4ceb091f978a1e4327afc824

SHA1
33845065c50ef49af7655dd32498a6511e4a0e0d

SHA256
f1a2cf6919964282557effcdd5161af8b335813675a6da7007501599b7b67326

SHA512
24914fbb86ec02e2458bd1a1e7fc10c6a113f037acb83b863c49c3d5a30df2d7050affdb8ff8852565991f729634717909c823a4a8abd00103f6a89698336336

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.6MB

MD5
6fb2cb6c05757ecd6cf74482fbaafebc

SHA1
08fcd6829c4477836a992bb992ab4c1f4af7b126

SHA256
3c48064c5a9203a6e28196585d71c0ca3d81fe31de939b78f23709f00abede1d

SHA512
b292c5321172d05c8d7acbde821fe0595e741bfb7e28e8e51f3a4c6cdaada21d64d99867f9aa39599913626e2107a7f331e535a1620449ca440f428a217bf083

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
832KB

MD5
27e722bda8e1dd387935fec16867e895

SHA1
79fa74166fc29dbd521b83389fce8f874a13d1e4

SHA256
c7b6be7f3469e4e93ff3513b567111ef948e53ae4516ec6864f3f4c90dd75ef4

SHA512
198726efe2b9739b5ab9c2bc4f1f76f524e4399251840e70fcad2447b734da524f1126107f5563ac9f4ef42855fc9ac97c34df0ba7902f1aa2566e262ec7765c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
844KB

MD5
d61236796c8a47c6e4dd33d39c0b7ef0

SHA1
4ab387793ab4d6de0a1dd38ee7940fd34e52c1db

SHA256
d7d77a020f9d2eead01996d7d9dba45f43fc6b42431258011898fc6a1400f714

SHA512
bdc5ea50e628067dfdd9bb92890ba74055de512c78a6e6881483186ec47b0a6a95805cf46ada9f66381624c769994c2803ec3966704829b1a953c4e10f48c50f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
227KB

MD5
1bb7237ed5781c5e14d26fa26503a251

SHA1
c2f2c5603fdf0f899eb0a7ab11a26ec89b037ba8

SHA256
da79bb79a426021284af3f1234fad1217fcf44ede6d4a2b02c2111069a3fa03b

SHA512
5cd1ccda049dec0000479c4d772e42da5fba02677895712812164c90678a659175febd2c4ca95d9006630490027e213d5d78c4f9ec62fed715a2fd29828d9f05

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
400KB

MD5
16d8041583cf30bc6b1b5903fa51cb43

SHA1
6e599d8e0c81e52f783543278647f47b757c9967

SHA256
a7c1ed6683ed20e826cc74e4ad326cb4078323954b7930ea0cab12df20896591

SHA512
8ed1911c7152fff34f0d40bdf9b4b62dfa7ca7d1544a657d88bcd0595295e2ddc50131d6c67bdc2527a7750aa7412c04fb7cdc750f3646f4b5102c99e4daa55b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
b336b74f87e9901d8d8d910a985acb82

SHA1
445ca2c665231cd4b2b528d58186265a88030913

SHA256
5d76e9569ffa9ebde0a2ac2b9bdf8479c7dd47da75b7952b744f082f6a4737cf

SHA512
a2094de6016d4985b4bf7830f0aa11a1eb90eb3a5fe867e959c8e689ac636650ee568267337b5122dd0c6f5ce804275202e87e8819f33ef048f9dec7259529f6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
688KB

MD5
00f938ea898ffc51b44881e535da1d94

SHA1
4de49228eedc333ac5f27b4f35397c960f9c93c2

SHA256
dd6edd5861f489cf177e8737dfa4871758196f6c972714a46eb580637ad67143

SHA512
2ac44c91b39249e6732ebd323bb57c424adf2f7e3612a82a55d134655cfe1a528034ab98fdc723b4e7dc1d23ad8ec03f1fee660574fd7a7dc4177da6ede22f1f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
ac2a0d15613d6af0202d7c3a51a680ae

SHA1
d736b6275680c714b7b0f6932cf1216686efa83e

SHA256
e40f2125e8d07b65f5e53451bd494c89c28f71d900f0dad319f349c1f023c4c6

SHA512
ce453ab66bf9a104e8af5a7fd72ada8c9f63d5091b839ccaeae4f9a43c35fbbfb7c7701b4f9ea9f65c9ff334852f41b3015af676e36cfd2d5806f9cebe63a0eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
85325d435ed91fbb2f55015c694744e1

SHA1
2d8d16c540fb52be66a9f79493a21c1ade7556a3

SHA256
5aba81ffe7525e47b5f15f406b6179137765d7e8dc464000de9230d287c30517

SHA512
8718277b461122a63a3fb237d75c94ffe1cb42f66646cc6f128edf99b01f23c007c3bd7a427f4fd48cb409b49761e49fcb8c920115b587597daa34b19622e121

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
88KB

MD5
21583106c41438eba6777b603c692de7

SHA1
8b1ec0ab113c840e922e887c97216826aa4bcb1a

SHA256
eb4a4581383a9897f217112d84289e08d3852a3e9ebcdb973439003e1b8e9210

SHA512
81d7f3610093eaf27dfc4fa8bbad79f49399ba5eb39e526024aa982dd64137cf40878358774080bc358325bbe84a6b1767b321c108369a42ad5a1f477e45f6f5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
9c86ddcf18be85f9121203b4899f6c0d

SHA1
39e63e997cad4fb09da62da5556e0f4616d32da6

SHA256
57dee30e0982078258c43e2148433bb46db62534ff1d282c4a46b5e7d4529a72

SHA512
790e6e3cb0d67183ce6b9f8dff3fc22a9491d1d2e5d493d7fc83218f50a2dda4b0e72274e738ccbe369cd31515e5e69b12a79992f01685018dcf67d009589836

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
992KB

MD5
b10695a58bad9aeb8bdbedd1903ef925

SHA1
3ad50f5639676b168f5d756969373839efb38f62

SHA256
ceab9eb179be14f984bf203828f19e9d3cc68b6898076c3bc2f69706aef8bd6e

SHA512
2f113fc995a8f0ad380cab29bf65a96cf4abc6ef06af6f7ab971147f85cb3a970a0bfd93df07d12e59f2ad0320ce7fa8c4f4f3b327ec35a8823bb9bb7a49a3f3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp
Filesize
84KB

MD5
f45459edd01366c27c3224961098438e

SHA1
2c597ea8a10f6bd7fd33295473069326e15062f8

SHA256
d304963bf82f2ded6e39b90d336dcc43738e1200bc2b6515b0d58a7d1bc9eefe

SHA512
9e27f485fdfd6d0823329273cae7af7d7e496c90f5e7921148a7b95d8555167609df0440e33458acfffe3081cf5d632d0989f554916d1e7448fdd556cdfd0a14

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
84KB

MD5
418c59b619935238eba238cbb99a601c

SHA1
7f4f88527ce6b6b564f451c04afbff819ca0c238

SHA256
bca849f34db16537cd764836dde33c9322243f0b21a87ecbb148dfdeedcabee8

SHA512
b9d999264df89fa0b4b47bb770786e5cadc459a5e4403cc7799c567c0bed03e6da2dd925df56718b3174ac9da473aa53665a00a556b78272e7b944a0fe31a8e7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
3.2MB

MD5
151504dfde10f75fb207f3225276b04d

SHA1
291911dbfa25a01e904b567c0029ebbd6a301231

SHA256
0980b8ed38e530781409c60e16545bb841573a6843eb1867c23e806cd7bb6f15

SHA512
18917fbc810d32af96b23be8415f00d93571d19e0d886439077c8486a129fe1a2d63563d2e294c20867562d31d6e97158e508418533dcb590114992c67c9c57e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
84KB

MD5
b514a14ae694afb7b34a3d3803d198c1

SHA1
aba635bfb1ff0d1976a97332947a5f0ae3c1d904

SHA256
5b2aedfeda72be7de7c61445d803779e03b7b6341aa278ab593fc1c726d39a47

SHA512
532ea8cbf71b0744644a6af666ed16c1dc2b81fbe6c95ccd209daf866c4d14c6250e9525c7a38264fded2efea44c42b88919bfab218e0e19c43cf3a47fc39e5a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
5115d2fa246d4819ce91291e351ce5fe

SHA1
35332fd351637b6e1f26f98aa8184fa9a72b0aa3

SHA256
d1a05e9bd14e0bf462d9573857e7593b47f02be2a42b53a9a88b1b0b3da3f59a

SHA512
1f90a25cc52940b6f29c8ace4e5b38488ddc180869d3787fe434806d85b447a54d4c8d9d72427ad2dfda5bb29bb517080736c4d026165af7f776c1b66b74e576

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
85KB

MD5
31fac47eca455cf974f388e54e63faa8

SHA1
1d6d9662d3e415326edd66126fa63680f51230e0

SHA256
10bce770e89b12f5c516ffa1a9bf87885049ad6297d864b6a4c4e85f9bcaa505

SHA512
685861437e273c0b5c5e05b7d802ceb983512b17c7401805ec294b18d44cde0a86f0a1faa58493517f2747b5d529581a536ab9d721cd26d9fddb90abc7535401

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
24578b4c75d81f17a3262763dc25c31b

SHA1
83b53d0f66921e0f08a3b5c29d1a4b6517e5678c

SHA256
4730ee53384285626ea7a29c41569c03b2857e06b997169096d5451558fc9443

SHA512
6d5e7c3145fb1c69be89086d7e10d01ba2e10e007e7d2f5476ba74d0e606f6319ff3f2f5491e7032e4ebe3fad4fb126562aa7a220fc74b46f7787e42edf71563

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
2.8MB

MD5
04a5f4623797922f2c0d8b089510d2cf

SHA1
0efc1e940290f13e1d676d4a274d34af8af0967b

SHA256
6621bac3a8c2caf284bb60b42406e60412b544b3f4a1e869b21531c883c0f8ef

SHA512
e3aa3b291a5bc5870b85b48af7d525785a1e62923a143f1556b92b854e9cd88e0f7e21c8dcafbcc1fc998b818ae2bc0bd203f2007341fd16ab55ddd31bfb8081

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
722KB

MD5
1f9764aeb5ff5640dae8089ff5fcd1d2

SHA1
d4aae4f47230b3d46bec4d5c190561862e74eed9

SHA256
b8ac8b14d9fb0abd72850e491bf1395a15de082adda52cb488d0529f7813eb59

SHA512
0da1c6b2b9d81d004509783aa35ef692e58827da7da61eda90c5b037d435c7d3d516a2071c1d33f5305152814fadcc109f2fecff4575c04d4a042b7ebf1ed35e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
1.3MB

MD5
6ee616b538ea3db611bde6aa688a5be9

SHA1
9423ba3ea5e2c0c8d740e7ae4c46f428e1ba83e4

SHA256
653409e4b854de471346b2e28618cc584e8dd0841ac2691770df2b49d0666d13

SHA512
f051f99c9beb5da77f7d32d314df2bd011e4f13b4c3aa42fe1ee4c0d4923a0de357d121994b24e14d439e907006e209b54451d333fc8eaf7eadaaa9e966dfa8f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
728KB

MD5
bd5b155ff0e8b5e6e19608088c435450

SHA1
28d974e9384e7d46483a109609b4136372bff8db

SHA256
6bf9d5f017b4ad53e6fe34de6a68456eda7f4fa9d1627b7296760fdafa5827b4

SHA512
9082b7a7f7b6ba1a9d15f4d209642cf2767664429a58755854eadf8ffa09600b59f122fe161da5a5bc4b29a73d5602b86f3ddbe2a5833f0f88227169d8684596

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
2.4MB

MD5
86121397bb07f62549e1622ea03cd6fa

SHA1
65ac7ef374f5becba89d6b9924fa2c8527b66346

SHA256
1bcaa8e509f1e9fba4772bce6761333dc0e0085808a569cef5bf93d5096204fe

SHA512
614ff1cc4f94a6a57a55e28b67db7b32af8e6f6a98a39cec8fdc391558353241fa5efe402fa338e57be4284c757b432c07783c0b30687d4c45b107bab7c547e7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
733KB

MD5
c9fd3dd63bae9166a6920a7bac51c5e0

SHA1
21957799500cbb9359d79455c0b0279561fba27a

SHA256
79a84ba2cb8aa48c7c1ce6f1405e9eef47a22dd0a8d90d301d4b3a3d5d51b511

SHA512
f11aaabafffc77f8773c82aa9dc72a96f209f36ebcca4d36390c2b524373a9bdd72dad0c0fb317cc2c17fd1d83ae989a84c9e40a04ecf6acd6e4e6a0d999e412

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
86KB

MD5
76536e8aea47f390c73224aef6dd06c0

SHA1
6f30e0d2d5b16b42d31df2f5d8fd6035a94c2b3c

SHA256
dfd76a29eb5fb1bc9a4942f52efaf5f9cbcfde4011a7ffccc78959c112d2f516

SHA512
6177bab22f1c67ee74b4cc094a5b07a8228ac5812a321c32c5a04820b793d86740248ba43965880edb6b2834025a5ec1a5afee26ae5487c6a4635d94351e5726

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
5.1MB

MD5
328696aaaefd0db3a95b5a6361a3f4b3

SHA1
fe3348a94489a873e5498ab29afdef3a504c8703

SHA256
80efc4dae3574abe7c4fd9bd5c1092809c592660ddc6dd24ce78ab56e822acb2

SHA512
5f51e6b98054c9e785a7dbc10ad1a8cdd927a5fe87de9f78d6fe0ba0b6a2bb646fee0171142e1a4fa5bb096722a4351d75cc0d2f7e04d6b1a99ac96cb1ac0677

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
cad26e5b396e375d062ce78a843edd74

SHA1
299a8161a441fcdd1353ecb5c70d97f6336c236b

SHA256
7b503e652a951864732d70bde856797683c37b2856f0b9d9ad8ebd05f45d7e3c

SHA512
4b6323350fa562977a4d2ab47d5f3bac6d67c8172b965bdb5ca088060e864d322791f6a33bcb0c019b3132326cdb8b03aa49c16226278194e2838848021c09c3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
db8063e596c68bfbc43984ca5932bc6b

SHA1
d4bffa78c82c1b8cf3127df442441852a9f6f2fc

SHA256
dffce54b1f6bc4ca2765318c20be1da612f78fbb503772e872cca0b0d7e4d736

SHA512
ec1d62cea3ddc432327ba7959d0650f551a892556f1983183d9e1607044ae31dca2f7b74a6e394200e43af37b1a5782ae0847c24b157cc8f179ed6ce446f73c9

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
992KB

MD5
41cf5a538727ce9364b8423ad42edf9b

SHA1
4496478f641da7d94dd47a9da9d58a5384b64613

SHA256
9c963db72d4ac2efe7c5041a948511df24e41e66758a2378bc0878b7d3f2138c

SHA512
d00c889a243f77537a8a1a4220ea5409c5fe53c86e0a2b5465cc27abb096ba21be87f18638254cb209e712bac8ea4cc13766b90d64e03b24640e82f9cda69754

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
2.9MB

MD5
7aaa653f1713592e369b2aa1b20f5fe2

SHA1
0d2ea381968f9990ac9e16e4807dd54173f619d8

SHA256
4d913b15534622b0dba6d8573c1d7ca03de586ac5ad796c3a7423cc83058852f

SHA512
91d16e31771c36d4c2aaf290216838eba1b8224059513aa9d0347685dad40d3677ee7bd9100e739a75553a1723c85d1655d6994ae21f857eecc4d987617094b7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
185KB

MD5
56fc9769785f86d2aab034b31ac119dc

SHA1
eed62fa1e06d4a109b67f3c005d47ff9115d70b3

SHA256
3e6102b5db98f714c8a3c52b8f8e2c2007d8db32d27c9cc7c70eb4adfb70ca45

SHA512
0af2cd84bfdd28cea1eb0ee56633ac5eb4b808388b8c04fc89bf5edc8f4ca8ec0bd54aa6705eec773048d9fcbbcfe31d714b51cf27b878eb0cd8ea05696b293e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
900KB

MD5
d7246f221bbeae12ebd4dbce43b6ec32

SHA1
0d09e6fdbecda3125f4ec97d6e05440c8cdcd9dd

SHA256
72fc8f0c244be341c0b2877442834f5c55441957ba894f2b389d08e8e0f288b3

SHA512
22a101b376f4a0e1aa62463f0ab7ce9b7cfb5b92bf8706f32f224dd0689192c89fa11e637348974d40574ba0cc6b251b025e8c0956a81463b6098942de42ce8a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.7MB

MD5
a9111a804c858cf7d1b5efb7c39b8a2c

SHA1
5d3a496428225d26162144217a4cf138af161ace

SHA256
d3506e2ebfb262567578a047e453956769c07c856dddd45d154573cc7cf10385

SHA512
e3986d8b5c8f0eface03efda73cdf738f302f333e0ddf69ac878fa7551da514457370f964eded0b55e7839498c6e2c9cf677497beb03b1b9f30c1b129457e993

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
572KB

MD5
bea09fcb6fdda6794570238921bef9df

SHA1
36cf746e37f5635cdf7a7b8a3ade2ee6c74ade49

SHA256
8a97e9ec7ad6c9d1f4c5eadc288204fac7094b474a5113ffc919a9b258e854d4

SHA512
53fd875f3af08bb89c4d32c98d7692198b14b263c8b1857bb01807adcff6c729e5deaddfcf407f5a69ab3e2d22cc6c3e6a2a08cce63ba5dc9eea44a4959e91d8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
716KB

MD5
5fcc6d7d4fc268d7f48e5188859a0cee

SHA1
f70437a6cea8c3701bd495643202b37ffaf84bee

SHA256
29e5de9649be1af17deb73b194aa86f3e2ed5ffdd82bf187d349dba2020daabd

SHA512
5d370490619c2a9de249d0aff3a7030f3fc26b8b839396249fd07739320bd3aa0b23fa310ce07bbcd41f506a3795cba4e007caeab175d2eb473a0e426443e8af

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
88KB

MD5
ec1161c08db989c221399f7ea30cc6c1

SHA1
027dbb261248f5372a4db370e20f2800280dbf04

SHA256
bb53747637b1a18687bc79092f101570118e60ccedc26f4e528fe9f24705c1ed

SHA512
266fadc2025f13de45a73181f3bd73f7d6771231ffb6825d72329b172ae02a725aea23188d7bde5f46ad1e0fa6219771ce37524eb71c3a2ec52e44a6438f34af

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
595KB

MD5
e321d0e4762cca8295125d35d81ce689

SHA1
52d5d8f7542e0208e6f78a661d8a72b8d54ba664

SHA256
3b31f2f9765d454b4259abffc29f3eba63e1ccc7e5d076cf096a746319ef4715

SHA512
c4e2215cec084c223d6a25b65d9a9ffb033b1c30696d59e068e27c6d7651d232234a7d2efc385464e7c7cb8c82461c1d7b92224b193380f5d8997346ff81be71

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
588KB

MD5
c94cab85c4bfb5e8104a48b28316d969

SHA1
5a638aad1d881e47fc868fd27efa37a185e714f2

SHA256
aeb67d2a37ac7c0f0ab1caac7d6db445c802a20e12493fac7831ae708e36e030

SHA512
3fdc111c73e7bdfa60286bfdc2421fc24e79f51101c230f4def965ad87a496c51525cd1dd5798c2288c4cd38f3996ef9b1fdcfc21cae7c3cfcae3c972085e585

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
88KB

MD5
65b1e794d1b7c86d66fe70d960a2a2ba

SHA1
d14769d70159144eafc5fb71e7152839a6b2f681

SHA256
f273473190a8693638876627b082a90bcb7c53264ff474b0ef3490ebdc112eff

SHA512
06959ab6341b9474453bbbefff7ce31d813817295c175d10b77cc80527997cce17bcf3f27d0fb53186a06bcb0cea215b54a7dfdb49ccb704007d9cdaf5b79f9f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp
Filesize
106KB

MD5
f2ea82ab2debe284278a31a269b0cdc4

SHA1
f29717d16b5b3c2a5b7143d7ff27787924df357b

SHA256
59d3663ab93d3d9e342e83a274de90efc90e43c3482f2193c740ee03d1ee3d29

SHA512
9b93b07b31363e9adafed4b28d0819790d9aec28155c69ce5fa91770461ce1d02a481c0db556a10b8830898bb792130a6257929101c291221ab7e58e3747722b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
146KB

MD5
2e9e56cc1768477016f0ce9c9ff31024

SHA1
9de1c1502faacc3fb97c57684e5f23fb5db2f777

SHA256
7fc3dd3f348a2ab3eeb500d4653ed6e8ebc20d4073bcc94542bebda5eb83096d

SHA512
5b1429e7efdf7a7b37ea928649d291a57baaca128102e297aa6401234db50e992f35589c7af2a3b4e2a16304087e5968ff5b6acaaacf673b87301e8f5dfea40f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
88KB

MD5
81b1c8cac5d0cf9e3f17d27d644f0e8f

SHA1
b845ad0a9a9172f9b1d41c200e6a5b9ce710f491

SHA256
3ad49706f2bc4b6befc64b144430ca00290473354a13888b59539d15bf06288c

SHA512
b48267c27d1ba24e7ce1fd372bb2f01f5d3c0179130cf5bb56bfb3075254a12edf679b6c191528aaf8f354af8083077fe7f76d17b260287a2c94979de69e8302

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
1.2MB

MD5
3487b742d48b8df6298516b1c34e23d0

SHA1
5bc4ba985895544e55ac8d3b7aaf3834f299e414

SHA256
2168ae1413539187860ee45a64c8e17b7e745e8eab2484d02ec54b75d75b3660

SHA512
a7317ab5c738d01938310166f5a6e58cd27ec63fcb79107289c3ca7c9b4071fd2ee876f471043020d2241a336c754b01a693b14508df4f1a83a75b809f7a699b

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
88KB

MD5
2357936859caf9fae806151648c81390

SHA1
493f31738a88f2bcfcd74cbede0b05c4fbb022b9

SHA256
a711a5ef86e9aa822d87d6b68a4f0ac8d84e5562507312b751dc5a8972fa38e9

SHA512
6a7277fd16ae36fd39833c254e55ae5f73e755f20422cea59623ad75dc8be1f9b5f20e25abf32a6c6d7f94bbe3f313ded9ba96289778a53d666b15ef20960eb6

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp
Filesize
82KB

MD5
a88dd50b12535e99cad73f6f87fd6a86

SHA1
3ce78f0d97f499142c060f004c503df89568eedd

SHA256
35c6c8283741a12667d00189823a65b9bb71a9cd31f93a693471363792e218f1

SHA512
38469dd9bbcf0819b32f4169c7a5ea36f02c35102785b3126c1e25a5fa4d93141465a03432d77d36b520843b423157c426c9514defa7c8aa913f4826dbee3bab

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
Filesize
1.8MB

MD5
56a3bfcc496d6ed029336464eaf1c910

SHA1
79bc044c55febc9ea9743fb8fb445a94a9e0d5aa

SHA256
8ae5798fa04eb2a9aee190f3d4690322679117c88a517f00b27428388d82fdaa

SHA512
4e9dc0afcbb1b11c75f0b777391d31cb453504789254683d7be373e8659d4102d8a77501cd941784fa9dd17b04309659f59cf3f9d67e0034edc21d71d921db48

Download Submit
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
Filesize
81KB

MD5
32a88fa5eb352bca9ca9975041b59de2

SHA1
831302ce8c32d9f584fda2046843bad58e6969fa

SHA256
e62aac64eba96249ffe9cbb08b2d80f235636483521fc06480343f29104cf3ad

SHA512
9643681775ace27a4bb5acecaeb37fcbeadabdac0d7d6161b0d6ce343ae7b4ce1163a0ab767229f9a361dc779e06917589f88fea178bcf25ce98d59522097b5e

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
80KB

MD5
a3a627e45d41e05393aa8a18ef81808b

SHA1
e04eab845c469edb5a2da0278a32c7854d30f9e2

SHA256
4a601d18bc8e79c8351bac2e008bbf9fbebb4296c0b4fc87053514fb057fe36f

SHA512
3c60d3c566e136c2d594c2f6347dcdc32493cf69888d99c552594ed9617130a81298a604deb75e69a90432bce98804799a71039b6f3943bcaad85b969f3724ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads