d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
Size

194KB
MD5

06bfc6466092cedd5d077aac420e51e4
SHA1

0e2cd3d12e2778fdd5f93910171359e2bcc95252
SHA256

d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599
SHA512

8fa723efdd7adb5d2a4143d8783328a0d2bf60e867f9985b794b7a15724e83981fc79e7040c5f4c772196536cb65c36111e9448495371ec406305b79262ab063
SSDEEP

3072:hfAIuZAIuYSMjoqtMHfhfUfAIuZAIuYSMjoqtMHfhfT:hfAIuZAIuDMVtM/yfAIuZAIuDMVtM/N

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (915) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 54 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1284-0-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral1/memory/1284-4-0x0000000000250000-0x000000000025A000-memory.dmp	UPX
\Windows\SysWOW64\Zombie.exe	UPX
C:\Users\Admin\AppData\Local\Temp\_setup.ini.exe	UPX
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
behavioral1/memory/3024-57-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
behavioral1/memory/1284-55-0x0000000000400000-0x000000000040A000-memory.dmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_setup.ini.exeZombie.exe

pid process

3024 _setup.ini.exe
2984 Zombie.exe

pid	process
3024	_setup.ini.exe
2984	Zombie.exe

Loads dropped DLL 6 IoCs

Processes:

d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe_setup.ini.exe

pid	process
1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
3024	_setup.ini.exe
3024	_setup.ini.exe
3024	_setup.ini.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1284-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1284-4-0x0000000000250000-0x000000000025A000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
C:\Users\Admin\AppData\Local\Temp\_setup.ini.exe	upx
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
behavioral1/memory/3024-57-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1284-55-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe_setup.ini.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	_setup.ini.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp	_setup.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	_setup.ini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	_setup.ini.exe
File created	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\bod_r.TTF.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp	_setup.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	_setup.ini.exe
File created	C:\Program Files\Internet Explorer\ieproxy.dll.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.tmp	_setup.ini.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	_setup.ini.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	_setup.ini.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	_setup.ini.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	_setup.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	_setup.ini.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe

description	pid	process	target process
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 3024	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	_setup.ini.exe
PID 1284 wrote to memory of 2984	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	Zombie.exe
PID 1284 wrote to memory of 2984	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	Zombie.exe
PID 1284 wrote to memory of 2984	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	Zombie.exe
PID 1284 wrote to memory of 2984	1284	d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe
"C:\Users\Admin\AppData\Local\Temp\d66c849328c2bd90d38cff728606ea47ff3c96d247cb4cae5dd035aec4be8599.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2984

C:\Users\Admin\AppData\Local\Temp\_setup.ini.exe
"_setup.ini.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp
Filesize
97KB

MD5
38366522b13eb61a90c2fd06a15f234a

SHA1
4be416737aad53a1c12a6487383099f52519a598

SHA256
12c30090a010769837949e6c9b4744766dfceccd91dafc9131eb2d32a81c348f

SHA512
553450bbd68026439339347581a4d530cd41ee5f0637081d7799536126bc95a97aef8b48f4ae950be62a5fd42daad3b4b732a4e878733ca98752452b6f070ae3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
15.1MB

MD5
430526faef276f0457d89768674898b6

SHA1
ab90d909101819602f33d3394a753500554763be

SHA256
b4feff0fd51182cf480f068d752f3a081322a422a9181eba8998a5323a39517f

SHA512
90240a3ef1b9f6365cbf73de994cfad016d69cfc4eab2eea4fd10345b5e99b4f845384f7d762f58bf9d6b66045c32d4cb6650eeabe686a32144ee3864d10122e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.9MB

MD5
dce92087ece89c4190fb1782f14e4867

SHA1
1e9fb637ffcbc7ce7e5aa18a3db75c6f053613d6

SHA256
81467c5dabd442e303fb47dbec50808d42c128fbf536d16cc37779ef0d4fda5d

SHA512
81bab56d80fa5d55dc796ca8121dc4acd37ee3cc0f92666517e54dd024195957d4e89afd50857c3b80eeb98303e2a148b967f20466ba57c8d8552ed957ddbce5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
56e9c90fcc909b3594c23676979a99a0

SHA1
6c5d9a741e0bafec711a4d90cb6962aa88a13407

SHA256
fc3cf094d9afa5838854f69db7619c33afa1058818e262d5a4f2eece6c08b8a6

SHA512
69c631fe4875d813a47da5c98f46a1b10ecfc9f0daa6978bd1182ca62466a9de93ea3ac5d627e950fbcee3bdbaf846d0383aedb6f433e8f771084234cba6b194

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.3MB

MD5
6d3ec335b3f4abc8dbc91eb2c7fe88b7

SHA1
6c80d47228b43a6217612ebcc22ffd37b64c19ea

SHA256
3fc7f6d79b4a68859c8c7c5c27692b9a2026f8656bd5f38212b55afc07014792

SHA512
5e486584901fa63c224802c8ebead8bcc3094d4dc904bad81a11aed875df04b80a7a0e152371ff7e340b572f458bb1e62358ec212ac924202ad4fce5f801e007

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
10.9MB

MD5
d1bf301cece7c0545b0e17d80bd77629

SHA1
24e143a4652f595ab33d5e19b49b90644714c7c6

SHA256
12a7e46006d1f82828074df6f1c2cee69d2b0b83f3443ccb0f014541fcbf3908

SHA512
2a6ad5475749cf66dbdbdcbff85621ca47322b2377a736169192032ba2b182ccd5c0adfb1f8dd44b1642a3f422c85e3475c09f74765a4029b332f14486ce40f7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
243KB

MD5
785ce9efedee1b769b9eb1e15a7cf822

SHA1
6b4197f92a020421809961c1b779a67d86ad3a43

SHA256
41ad47bf434531ab09545c6353334b3091cb76aed6ca736219f3c70767c8bbde

SHA512
f71dedc0d952c41fec5598128ae46aec72bba88dade181ff78d8cfc5b1418659a626664deb47ddd6eb5acdb1d4fb6b2d4f08deeece545ef6d89149efc272ae04

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
104KB

MD5
f3104b9e0f133f50fcf298f055fd699e

SHA1
31b27778d5786af5360a67ef3a4ca0ec5f9a8347

SHA256
bf09d16af629286b7f56e8fddb09c5a6cb483b18b7e85393bd86b8b337c22369

SHA512
4fb0731424a495da9d39e6f033dc9e67c818726b13b295a437bf9f69a1ca9af5a29a31242a3da46363de77a97b911ea48d48715877f4410185bdccb450599f73

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
312KB

MD5
08e09f1a2f5a68c5b71118be0dcb98fc

SHA1
d362e9959105c617115e05af7b0efb242b041542

SHA256
badc88a0bc744472450d605ec0c0a5cec00232d573998ec4a3e481f236c42b1e

SHA512
b089d50dac8bb9e04ed7ef9afe7942b6e6f738d22080263323334ae4396ee70a2f83f85d01f05bc965ccf1414c83c6de8a37954c5187190d05d85193a344e9b1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
00c5e9be764d4631d4bc94930938403b

SHA1
25f990bec14ba30febadb7fe55b8cfa425ffad02

SHA256
e235aab828fd807cd6dbc417100dc9259c46208bee46f9683ad3027bf1233905

SHA512
515b8e4bbe65224ff9de00fb70ad9c9ee2ae31f952eff9fb2d21e0da5252a55392f0d90404d8ca5224ec5026b50ca81570350ed1ad973d40cdb633bb1a422a00

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
a7d0e1dcd1ab6cae9d382cd1b3b66678

SHA1
2c4173e7066174be75bebce7366248b423c6accf

SHA256
1d2ffe4d62a9b3cb2a09ec763454a0a7ea96994e8e99f2a6385575fa01ab3291

SHA512
d9a8ef8e82c20769e0ed1f47d071bda1d30efd2da961d20b567a53a82bf66c9b803adbcddb47307519abb79c7533e4dc1ade79e62e7904a271a5ff6ee04c341b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
51037b7a1537b1d693541a114a2e0af4

SHA1
2d4620579a30506e6101141e79b49015e69eb17a

SHA256
9e5942498962b359a38054ef79b95d7194f8968c155fad296fb899d23e906626

SHA512
e1af5b870e95903fd79ae33877f3f8bb086ac4ecfe0d2695fac5fc108e033be4a4d4698db533b2bd0d9e85dfda16e634f9236efb2a26ccf5059e6a25d05fd70d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
a64db5d3e9dc82d391e6e3223d871aa2

SHA1
4eed8f3d9df5e19b32c34afc2fac60fdbc6c6344

SHA256
bff2dc7bfbf06b8b7a05ab78525467c21b8e49a19fc4d7f569c55cf7de1ec090

SHA512
0b22738ac41d94802da8ae488966e1610124948e3fe8a577dedc6950ed4484fd03512f18eb52ef5e0ab8114bfdd766e8b0946437c58c0cf8d5a1ad4a55c27140

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
7f3f146fe14d6374d9c9bfe981880dd8

SHA1
44b7900018bf4d0825fb5f0212919b4ef688d7c7

SHA256
02ac627e281ebe937b5191f73347993981d89da6efd2972b39a029a83328e825

SHA512
5bd0347a57c928c16da881372ed64b753b2af69a170ca371974754af9d9daaafa901fedf2472c0da5c95aa7fa00d57d8cef66a402dc9333b1266e581628b3f89

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
6.4MB

MD5
3aa417a1105aeac3d248124d05765d96

SHA1
824a16da4faee94159c59f791a84d631c8a010e7

SHA256
eabaee757fce0986850f7253865d13756ae1d9ce6db60f1368b5fa09e4443351

SHA512
44e622760b2690431317cbf541d0e0c36229a6572511df3a16c3921aacff23fd361c7dcb11c236edbae200e594d3a5de4a283312da38b6383c2f427ead312e1d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
c4ea6e192d001850973e8d27f9781785

SHA1
7bcd1c68476c8aefdd081b6e66daf8a112382b88

SHA256
d97021b3e9d672c63af03c650df06019eb1b9c5d84a0ffb160af10a27f8b9ea5

SHA512
33fabf33c4faf38d5f7f4cc1e9a6d0a22413cfb4539b5045b684b339f9a8b28d3c9b738138d4343fd01fe11202652dd77c325d72e2969a904e2d92be22fdca8e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
102KB

MD5
158d520dea540e36f7c64268dc15192f

SHA1
4cf4a056cbf5a8cbbebbbeeb0586cd2270183a43

SHA256
0e7b460ed103d553be9e6ad8a3317e607faaaae1d893e4a94908111b733cf85a

SHA512
9687349c9942da1196223e3a38b9919091550607111a5887d65bcb4db8d13edce28db9100a15001905b51e58b89120f076e69f2181b4d27cb7d285dc0e77bd97

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
2c5e5aa29c95710392517f4ff5245d77

SHA1
87bcdedf771e13e4dd136f07db691b2450c0992f

SHA256
03710b8be53a96fe55bcb35f222e10797569aa76a1385b26cc2403c9f92660c8

SHA512
a471dfb54384a49e4b111aecdb7d7a713825703400038534b3f379b377acb6b0bd12662dc1fcf96648e850eadb63b6bee6affb07e4c0dcca42071a12285e02bb

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp
Filesize
101KB

MD5
bee9d4bd9bbe16ebf6f360fd501b9014

SHA1
1e5f7784956d40836f2f545733d2b0d36290b6b5

SHA256
80051b02e739d0bda300c9b3ba60a5f212bf3d49d02c0aba0d578ee20eef44d2

SHA512
a5117d385d7f7db0ad94699b4f57eb648ec6d33b2a6038f24e71e84e330b979c62aa75d1cb3ade7f8094c59aafc560ed2ffb5c4ccdbf08e922db4093545493da

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
4.0MB

MD5
57680ea0e6227bb941f0574c96ec41c0

SHA1
5a378eaaa4ff6027dcc61b9a287c18b4d00bc263

SHA256
e75d05ff19db9a0972883a03992a0ae18a0444bfff60c8f2d2f6f56fa6e896a7

SHA512
f0d988549b174a606230d9bb5263a99d0c53fb2ecdb241b5cf65b6ed474c93c5b749a20cc4a85ceed47e5f9de0e102bf532c0e95c01668484711e91d8ca44c89

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
a4feb8755ae4fc7bb7b068514fa9203a

SHA1
e209935964f79a0e496bfdc27daa39c9d8ba719a

SHA256
cec32420f4b25bd16cec26f256da8226035bc6ad75d44114e6c4a09a1985e881

SHA512
aef2aa7412d434ec762b56949e773bbfe48881b3327e2cbf279272e67c327d0687df53c1501c7aaf9d810f61480af46e983631a28023ecee7c42f0526d92f9e0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp
Filesize
739KB

MD5
140178f622631db71fd8ad2c0343f92f

SHA1
eb403ca545ff15439d17058b0cc8fcea3c35af78

SHA256
6be441ce3f0b633ca64e166f6efe58f65f24c65b44484ccc49571bcaa4e3e3d9

SHA512
1346f1e6c3b1c816c79288a19813e9bd1de1f98a025d3a922abd44ad5907c93a236ae7bd025baeb53627486406139d3c6edf35ebb2b1c8c9d9b0982b3e5d41f7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp
Filesize
99KB

MD5
f0ded981e32a5c96e1305b64c8577f24

SHA1
5e857d1099511a1bb1b1c9818edc3b7805fd35f2

SHA256
3f31628487d148057d188d0920f33f198c3f2d225c38e3a3a00a1c6feaec544a

SHA512
637821b391312cd2b4d989a320ee4061dccd8f5025af2fc4705f102792d008e5a5686148a69aab476d0318cafb32317477c2783083ef5965083683c0edc0a0eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
548KB

MD5
69826b7533eb1da024f4b1f6ab6bd1f5

SHA1
5830b76749a9a0033ff3d56237be85747f6856bc

SHA256
d6ebc8f60e7aa53350e19963e3d25754685f6815baaf2ae53e81a4d01aa04172

SHA512
f4311618b2097997c3d909e6b4f01b3b989e74ab95511a1c3d06f85785c23e2f8e83a6d638b7195c646f07d718ad0772ae16aa3fe4d732c02a3f6b50f543a248

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
348KB

MD5
e1de9036bbd436fcee2b8f172e9870bd

SHA1
795c8007b0a7b9e6bc96517aef5ad445c25d503b

SHA256
6c9a0b99b7590acc2ad088e1840143c1ba465b671acc620d22a1b7bcb6c8fe59

SHA512
171688be9620492cecc3fa76e102a5816c582dd75215cbacef6b91c66aac7984ec615a6466b17320cd4193f8108dc622ffde16fe861b473a82da5a8b4125f5d0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
19.6MB

MD5
1304f587be18de74a3f2b1ef3810537e

SHA1
843ea62eab970797a16ed5739a11aa52c05db4b0

SHA256
9b0bbc473d1b1bc6837abba78ab89a6e4c763a8c48234f5ba9c874b672687dbc

SHA512
54151158a54843db6bcd8729a9a59e0950dbdd6b72a04bb854f1fa6723be6e19ebbef77bb0ba584eabed48d43ad8c292201fb6eeda67605d99a3393a790656d0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
749KB

MD5
9459566ea5982305cd96e610192d076b

SHA1
fa152d60d8ea9fb8dba6be797e7f422d26ca91aa

SHA256
5787a6bbbd3363a0ef101bb229495a295076d01ea03d6318d8cf3d88a1733c61

SHA512
e9d810922f6d198b0541601034a7b2868b8aa77bca74cb6db7f421cd932e2de4708bb0f61c8323aada87f39c31ab1dd7255e96a0e06576cf19fe7bf302061661

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp
Filesize
100KB

MD5
9dea2dd28f9f9a84460d05b272330351

SHA1
d2eeae08f64d9f14bc5e3c09642973dcb738894c

SHA256
5134dc36e44f35f31da374a818c6035a297c8571223da72c0e31d5739c418829

SHA512
1c9378358e149be58167b2eed8ef420e1319c08d99e2d3679a2e104a639ebeac87c0480336d72ac03f0d40edb1c03c2c1aa64eefaaa7b4690098281c51258be2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
732KB

MD5
0fc2a4cabf1ce8b05e3ae734b447765f

SHA1
f785158834663344fd803cb85a8e09b8b2e877b8

SHA256
fa1b94eaac84a6bc700ee433f388e08edf5124ed2f425b40c294f972be7025f2

SHA512
fcbb677ff346e83f694d5d9b03570b117ce91948bb373826499d5da447d86d2e3845f006ad18152112b301f1541ffd0c6926caa77d176a93553961b4fd59c957

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
340KB

MD5
b632970289c41c6ab7e6f9d0be79d722

SHA1
d63e5342037328d5bf17ceabe6a8ee6d1efc4429

SHA256
3cf81dc7e66b40b3da8162df51582f28ec9087573f18742115efc4c6a94afa81

SHA512
51b1eec415e83ad3515878add3af610b7aeca9eb5a589f9b5fdd833042aa680ab508478edab33b8a1835750c0fcf29d97ef6e4917d09ef2a903d1654050742ac

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
15.1MB

MD5
07c0c511d09c1207816511c5531ec7df

SHA1
59ebeb172a04c2f064a021885ac92c99de0deea8

SHA256
49a9197cd9cfdec2d60b94e6807cb3291f9911995aa107b3aad0644bae4f5bd3

SHA512
24bc5670ee5b17bfa15f089125e76f43b2ce22b75e71c278c7a48d9e35f999d2c0837a8c12f39ce0b88d32a40b6ca097ebfd92644db7e231124e2d52112efc3c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
22bcc81306e03ee60c2eb87e46bcdb72

SHA1
9142c772ec68b76fd3608e666f1b1714460f57a0

SHA256
63a7bd4713adce3f53a91cd50e495ad9e65304743cf55e6274df551a589e74bf

SHA512
27534ac2b03d9a50fee0dd746a80978583d7733897eceb6b4949759174fec9d48f416653029f348e71e1d643648bf015fd05113f94c50d6bc441a59136c438ca

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
111abd7aa1545ef220d2a4f3766125cb

SHA1
2a854aa248dd72026097dd39573e8a32d07044ba

SHA256
861e472ccd335dae85c15a3586474e064940852427b25a4bd58ee91855eef99d

SHA512
abac3318974dca3344b21142371340741d3af643489f1867ca96227fe0829e6addd4b115c0c638ecddef62b5d1ea703e42998d6fc1b2dffa5c274b7dad9081f2

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
b8c75e77fc8d32240f62a9c055799c5a

SHA1
27e49c7fb02f50d4a7268ef53948adf3f4b653ec

SHA256
6a82096d5e08ed1264dd43c47ea7ddbc7bf6596e4974adba51b25b88d7b03555

SHA512
2f7faa6ee09131a3d36ff24f4eb55c2b3dc759b4cac4b9e3fd4b2c2509b5367d1c6d097b73eba4cedd4383dc05df9fd8b9ea21a978a2b0b7db788e4c1e2db394

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
e17d9517b59519db49e6b32647c3d735

SHA1
d91d3ce4487e4d44960a8358d49af796278ac466

SHA256
94c098c69dd3058ec379d8abd875d952a684f3ba799c27cedd477944322002a7

SHA512
ff28ce863f24659d8520264ae128ff311cca2f0d12314061f0b8d1e8df4621b8eb2758750efe4bb09846f759b9c7676cd3057ea850da0f22518cec4368a1960b

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp
Filesize
100KB

MD5
51a89427fb0d479b91d83116448bd520

SHA1
2589b88a8d9eacbd0b38ea1b8ee4292db770e723

SHA256
2d5a7829f2be16130a15a1c99a09d712e21223603c3fdf66a7187a4d30d2df71

SHA512
311016ea73465c5f8f5c69f5ee73c501e9d4acab4286c13507229398f26a77d51b0d694f9e785b7ce1440a5cc51b8c00416294280855eaeadd303a42175977d7

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
8742c158b1a819a7785b492520f3ee4a

SHA1
36bb1c4bc2dce11bd8224ca579bbd86c1d151e3b

SHA256
3b120f2fe41a019f683d58597a81cc46f20b5486f5d7e9648ab2c23bd08e40e0

SHA512
72d044beaddb455df73a23b63af0d04beeade102aa3c18d459e9afc6adc5db8818b1283d1a54fca692ddd4dc2a52ae11f0d6df0030446c43bec2b138fb79933d

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
101KB

MD5
f3fd012b3c5b317f973644fe491826ba

SHA1
63456d25d1c40a5d104df836b1af66bc18d2760b

SHA256
96be5f3a6d85174c2da87c98343eabca4046e4a2e88128e0be9ccb22e905cd8b

SHA512
66848a4e95af4cf14b24e30eadccb876ea0b2b805a8a569e81f630a062fbc60b25e07ce89ed88e1b7428ae6b83903725cd4c3b6dba681a1a41590a3afca9425e

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
588KB

MD5
3a40cfc46a3bcfbb5f7f9be54f65bbff

SHA1
26ba69416c57e43eea74eb1f4616b2a97c9a471b

SHA256
395eae83c5011a51a975427e2100343e36da887da721390cd15076558617c72e

SHA512
16cbddae7a813ed135605b608986ab1d587606bce605bc286f41770e848f18e42531d6db11c2e463a6b337d24b3221763d6fe48fb19db1cd2fed3d903e8f2ea7

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
034e4d45bc2fb3bb28c2bb348abadd94

SHA1
f5e016103f69f6e92b5160466fd79d1415ce2c3f

SHA256
fd37571f9353eecbe408d599b0c1fbac9385fa0af7ccef610564c364b7de3dd2

SHA512
6f8a1cd67d1bb8852bb012b259535842e87a47271b012110d73d48ff60e5bf12727fde25535c3bcee205c2ab1cd1e0dd744f0e3f9008e311a7c41d4e2af6a523

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
803733abf348f087e39b0b44904463d0

SHA1
95e4a1cd1abe95a33edecd881e829d0ea91ec7f9

SHA256
a22aa2dc76fb11541a745c24bf467bdbd2b2ee574bb5c350f5018d00c2d7fc0d

SHA512
b9705b35e133dee0399b75024abe836df2d64b5823db71cab9a90b283ff0c9ee54592d3b29d3434dfa22484c7554c7f5fd6876b70f1f10706f781e92c5812a7d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
202KB

MD5
00ae2a85f3df1bdfe167136b8407bfd9

SHA1
e71701a6068a3f18ca870a7101cc40b15a829bd9

SHA256
20c454db610024840c17339e73698a9fb77314cd626e0474fe9f572015574930

SHA512
2b6e18c8e6d7e0abd63448acce4b7c7d1382122193de3922b2f7af5a16135e09056f2e894330e536142c927e20e9bb3099116219d6012945b42341052da1974c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
916KB

MD5
dc827a645f0087a47ba6743833a730a7

SHA1
592afbe25d9a527a183bf2d921175a297a9c7a80

SHA256
2449124c7e0cc383dfd5cd903dc16fe949945e4615fa0c1c7a368ef631b3432c

SHA512
4cf4bf5b758387f4eca9b375a6997589a6f01f1a050aa4300c57cc2ae04479c4aa485b0cfa8c8cbb95f300e0bbdfa9fab7a1df9a1bfbf1deee757f107fd44f6d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp
Filesize
100KB

MD5
a13302dd6f65db34cab61469f8deab8d

SHA1
fd2b6142c87946b9a29f73fadddfd7aad3570fb5

SHA256
c0404757d6e4d2bc6a17493236289880b18a0ab0d249e7f1a77b9795c017289e

SHA512
51f7e6ca40c11c6aa9afa16cee1aec9f24e53e992517c1067f36413a727a44cb9abc94329057ceb32de9789bb58b4db5e70ee2931a7fa0b3fb46fd9958fd7355

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.8MB

MD5
4101fcc8590f97c3e51d90ff70562c6c

SHA1
b134b4e60848d3a4b0b89a30262886a102f4a0c6

SHA256
52590c41a181d42f023ad367ff567330241c4d314a08c56974a3a6b1db4c127c

SHA512
7394abbb8a410d8464b146042a348482b44f1de945c6a37ecb474ab3e4df81f92bc4aea6fbbedca1f6bc32962e0d20613d5d08139313d74fd3385f688799a1df

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
7003d98db95990b409f949276c9f78e3

SHA1
65e526c8fccf7d2b3ecaa3288b1748a6c23945cb

SHA256
a96db0127f087d7f57bf7006c81808f305d0978774e964f3f1dd5c3ff04ed03c

SHA512
ae5adfec8d48a6d6e38db2588fbc137cdf26c284537ee35290ce1e850183cb681bc219c16e16d0688fc3fb98cd4485781fe70e54d4907b85662c6caab63ad5b8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
732KB

MD5
750152a6b917782378c284d765d2ea72

SHA1
a6d6a0dbdf689566e98997d3e8fc025baa1951ea

SHA256
7344d14197e9181ecce98f3547263b6d73ee0f3c734c0c052ca14474a20e5375

SHA512
6f1f400aace8f982c1888c58d1677235c3d39b1a853e0c4d3f6c1c038cc197845d9e142ded9ebadc381f0ae5146cd29fd51384b1251be36b636f591d1633eee1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
679KB

MD5
ae6f014b297f97af5a656950c87ae89a

SHA1
ea814bcd53ee93976d0b409ce1127028238d74dd

SHA256
c526c7beafd1f2e3e93f12441e550881cf2851e7fe322a083392f973d56f0cee

SHA512
3ac839cf6bac0a6d5b49cb963b60a7ea8dab8f2df266aa54d583132e6393f6104077173b48682af4847c2c5def7a2d8992ff1792c6de58c86b96839781f80b1b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
605KB

MD5
7bbe2683b13677ec02886e007502a21c

SHA1
5faf1814f6c541be0706535dae169f5734f0ab6f

SHA256
68d2d34e320db89ed3d5710d2588aeceb3450d5f5fd93a355cf3da2a15a67ab4

SHA512
e8f2b587a3edb420aa62e06294ba1c6a3501c82bf36fa26aa88303da4249475e641c5e9ef141e60977f0bc1a0dd6348961671cb0d0f47d6fddb5a1a66d4d031c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
737KB

MD5
440ca939f300311716e71c7eaec673d8

SHA1
f3add91ac0d06a7700c35b91719057bd64cae900

SHA256
4bd39f62891216dd8049fc480bbf17092cb21fd0498514acbd3bed74d8bfcb44

SHA512
ff4be9d38a99790262e29088c45f74c9f92d4bb6d83ea2946970f4fa965d53c30d526a452116953685edeac24037587f4d261e38beb6234dfbec07008c685a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_setup.ini.exe
Filesize
97KB

MD5
b2d590ca87c32282f99c0cea6af17cff

SHA1
9da9d6513fca72835547013879a12a87b87baf53

SHA256
664ed9870e136625b0e7c6c3999a6391a7911e451dbe5834f72bd25c1a03a567

SHA512
19b8a23335d8062929bef10d0e5b8597770fed99bfb5776e4572edb93307b16e04cb5299c131ac3854a89f1a80061b740f50a96e3754adf1d2447608f75a0d15

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
97KB

MD5
cd05396584f2691216469104dbd20454

SHA1
c952987f07e48337d34c4fa93df20881a7c83a5a

SHA256
281edf7d3e876ce4b6fee6f0451a738c3dde9f2357122d6a9f202ee08d23303d

SHA512
6081239849e1caa29ed6e1cb741ee343dfd6c11597cff1736a7720cf317de44eede2f739a04cd877e1a829af7fccdae9387aa8549c790fabdefc4f59be9ecd2c

Download Submit
memory/1284-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1284-108-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1284-150-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1284-4-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1284-18-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/3024-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3024-24-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/3024-21-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/3024-174-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/3024-195-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/3024-22-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads