f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
Size

148KB
MD5

478413942bbef63aa2e5989986dd728e
SHA1

3eeeda85a6bdcf132146b774a8edc5fec1ecfa81
SHA256

f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a
SHA512

f5bba32f9f1326497052815a935f32aa121fc470ed6a4089ae18cd4517f7523fa905430dca0598bac3820c1de93de025c3a6895a90f7ef53b91837d3d4ea0d34
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJM7Zf/FAxTWY1++PJHJXA/OsIZm:fnyiQSoOnyiQSoc

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3565) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 48 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\_KB2919355.nuspec.exe	UPX
\Windows\SysWOW64\Zombie.exe	UPX
behavioral1/memory/2356-8-0x0000000000260000-0x000000000026B000-memory.dmp	UPX
behavioral1/memory/2744-14-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	UPX
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
behavioral1/memory/2356-226-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp	UPX
C:\Program Files\7-Zip\7-zip.chm.exe	UPX
C:\Program Files\7-Zip\7z.dll.tmp	UPX
C:\Program Files\7-Zip\7z.exe	UPX
C:\Program Files\7-Zip\7z.sfx.tmp	UPX
C:\Program Files\7-Zip\7zCon.sfx.tmp	UPX
C:\Program Files\7-Zip\7zFM.exe.tmp	UPX
C:\Program Files\7-Zip\7zG.exe.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_KB2919355.nuspec.exeZombie.exe

pid process

2744 _KB2919355.nuspec.exe
1456 Zombie.exe

pid	process
2744	_KB2919355.nuspec.exe
1456	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe

pid	process
2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_KB2919355.nuspec.exe	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2356-8-0x0000000000260000-0x000000000026B000-memory.dmp	upx
behavioral1/memory/2744-14-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp	upx
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
behavioral1/memory/2356-226-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.exe	upx
C:\Program Files\7-Zip\7z.dll.tmp	upx
C:\Program Files\7-Zip\7z.exe	upx
C:\Program Files\7-Zip\7z.sfx.tmp	upx
C:\Program Files\7-Zip\7zCon.sfx.tmp	upx
C:\Program Files\7-Zip\7zFM.exe.tmp	upx
C:\Program Files\7-Zip\7zG.exe.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe_KB2919355.nuspec.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\CompareResolve.ini.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp	_KB2919355.nuspec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp	_KB2919355.nuspec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.tmp	_KB2919355.nuspec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	_KB2919355.nuspec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Java\jre7\bin\splashscreen.dll.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Mozilla Firefox\msvcp140.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\library.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html.tmp	_KB2919355.nuspec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui.tmp	_KB2919355.nuspec.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js.tmp	_KB2919355.nuspec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe

description	pid	process	target process
PID 2356 wrote to memory of 2744	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	_KB2919355.nuspec.exe
PID 2356 wrote to memory of 2744	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	_KB2919355.nuspec.exe
PID 2356 wrote to memory of 2744	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	_KB2919355.nuspec.exe
PID 2356 wrote to memory of 2744	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	_KB2919355.nuspec.exe
PID 2356 wrote to memory of 1456	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	Zombie.exe
PID 2356 wrote to memory of 1456	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	Zombie.exe
PID 2356 wrote to memory of 1456	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	Zombie.exe
PID 2356 wrote to memory of 1456	2356	f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe
"C:\Users\Admin\AppData\Local\Temp\f24c49e9a73cebe8b6278642b1aa447f01518a2e166b64aaf7720ae652dad93a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\_KB2919355.nuspec.exe
"_KB2919355.nuspec.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2744

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1456

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp
Filesize
149KB

MD5
b66a063f519441013891363a4900b336

SHA1
8080c9e85a1c56c3ad5c7f666807f4ce00f7c031

SHA256
e11289cba0d0613e0601f891b52496d665509202828e1363e5bca9ac31b8fb86

SHA512
4efbef7e2b6137d5043079f86fbafa3b8995c4fd1e24b8ae51c3f1674201efd0e9c6bac73781d6cf1f1fae27ccb8731738ae3cb9d0269756d8b73e568c72f80b

Download Submit
C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp
Filesize
76KB

MD5
2798d1e0a4e8155b75aab76ad962842c

SHA1
a9be927ba9cd4edb9f89f9e433f628210eda9311

SHA256
25b6452b617e2e1e9310543797624747d8ff241915e52394f3c1aa55c34947a8

SHA512
226b4a85d7d377432f0b34c9f9431fdd7ce92a5e9cce7353d973ccf8e831169352162b3367f81383ebec7ef8e1f2799ee3885be8f33dae40aa5c29c1ea3536f4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.2MB

MD5
b5e7e2ffd3be688c90ab0c732b00a658

SHA1
194f2e19828ca10c855a29eb97bdc961640cdc92

SHA256
749e2aa6e9f5a39184d85b8b96053ee2a0ac7077cf632fd8057533c871989938

SHA512
21880f310b114ee2f651570906086478194a4fd0e4f6f2d839098ff3a8c24ee35c757a30c8f24dec3046c8b375f28bcd6e044e757c764c58c209d9406d2a33ac

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
1.3MB

MD5
99b5ac890bf91dc05fda0aefe6762f2a

SHA1
ab5dcd45c8ff3c70c892d74de8227bb29770b16d

SHA256
c2580ad3370a0112977b95f3ce0d64f430b4359ad2d3a71a064a70b33970aa46

SHA512
be0e5f3579bfd4ee383596ac71ffb3a1c68fa80f78eef40a3eff6d422df54860e3c4d501be04ef632e090bfec1c6bfaa8c1f21aa222f8025b9f526531d9d6d5f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
fb508bbeb2226241ac03ed49020fedcf

SHA1
4db67b46306658dec8d9f96a45b26783f68a1e82

SHA256
567deca06f223c455e2c5eb2384a5bf06fe4f0ff658ef779e947ae665ebe9104

SHA512
749bdc8df30b5f5f4f8df8820d18700d3c324a3786f5769b59ab1caf4b415c940cc6ef66dc9d8311a84d7ebcfbb6b47befe6d88b34cf48cab7b09239b020a7ed

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
222KB

MD5
10adbfb7da920bbb562fc16032d3e53a

SHA1
e6b901d4edf313396ad6e9e693719c75a704978c

SHA256
50495f15b2a5a896bbe5028c48334a596bea52b9e68cc9029868a5463efb4a64

SHA512
dad4bb2d7124f8f670d2712a8c9f3a799d91f9685043af663348f1170800ee4b6b4682ca06e889aa300671661202c9ed8ab76f77985016483393bd04fae8710c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
2.4MB

MD5
69b486ab7e2375103564d3642ff550f8

SHA1
d873c99be634d9fdf223a5cf93ffdf091102b5a2

SHA256
0484733de2690b1df3ba9fc43850bf4a67357e573374ee0d3ee2c29e62c6c6ef

SHA512
9ba68862525ce11d47bdba60796d5e64dd9c103a6605d476d31e61953c31b2af7e4d037a6398fe0727fcc7fa4dce3ba5249a5b3bcf2c9a824ae5d5f84c675ffe

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
243f1331775114ca8194bfdca4f62154

SHA1
988face24fe6b516acdb24ddbfdb83244122be47

SHA256
b450a9f1fc0cd36eacb07588bb48a6e70db0e9e942b3dafee13478840f0e246e

SHA512
718b2f7d9d97fcca45f3603de6d3829d089edad2c169b062bf366f4991620df6d6458c97752034ad57403ee2a3ae9fe95205d65fbbe614b879a0037ab3f8fc73

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
8KB

MD5
07c89738f2855c14f71cdde144eaf9f3

SHA1
5cc29530d3f1f734fd9b74ed264b7978b4336295

SHA256
c146e1696045b37a08cccd0f82f3de3e023a9b016899c675438f5483280a11c9

SHA512
3ef9056bf807a0d1efa22b92c0624dfff9a5f199624998b7be309d4bfb4a8ecc34ed6aae0fbc63c12e14e9fc35283aec253e8fc8b1baca9fa30073b52edadd18

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
560KB

MD5
bdf0ebe5824238b72fbac7ad22d1ff51

SHA1
bfebf654849e00f7da48d60b4b05896bbe79f7bd

SHA256
aab5e28a10b8479ceebb5c1f6366159e4d599009711d635884bb8ac43b489024

SHA512
2269b8f204d425ef4e96ee9b5b470c236bbe0daec10fb993722ef7f9c4d4ad05a5ff3e6b77594fac98bb1703957fb27196d5b9d18f8a9699a03fec93695e87c3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
3.1MB

MD5
c5d670f1307d83f17dc2cb7c5c9ff8a8

SHA1
9d3be32958c0e8e727c4c23ffac9d8044b548098

SHA256
d33949c3985defc7e3ea674e4e8f7f01207110a47c776d2c44ed2982880cec07

SHA512
4f930676f01b77c16703c6110f582d1c22d7e762a2306d38786110f456bdc4619784c69bf24b7d4bd3057d8c3ba5d351aeec2f7aaa951152778ed574cb98a09f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
80KB

MD5
3c00b8eb5909f40df664bc51c733959e

SHA1
0d4310d09608637b4bc562686021b9c1f10f32a3

SHA256
c4a6ded29a1d567385c6f10570e8dc7c9a5414c0bdc13cb916f9c15edef055e6

SHA512
3d3938b29a53f208be7b6085ab936282cba604a1f111a978d85a96b9182f7cb9c4bcb5c9087e5ba3aacbfaa6501a6b488971e51430f4a10b03a866e866e4bea1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
3.6MB

MD5
83dd5e1b1621f334fd7cf4166a189ea4

SHA1
5410cb9ac6be5cfa5f1d2bcecdad7b921d42f5f0

SHA256
e76718f3bddffe6ead9d589974dcd69322a5203c9571631b9970b975064b5d60

SHA512
ea839be334bf9279d8870866ad72b92ec7d46fa3c2e9339b33f65a7171d49191fb64dd5ab1870d50a08df01db29708bf3ab5dd0b9242c8e03df67d5e3fecdc4b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
4bf734d18ed8059fe3a755eb29242246

SHA1
3407f97b0becf33ebe643eb6c64ec23a1e51299c

SHA256
32635ead675b3fbf5ea307cefc711aaef0962ae380af741d6f51fed586a822d7

SHA512
e0acc804b7da9727c7d6b1aca51cd03c216cf20aa7dcbedc6e1fcb4aa8135bf78fdb08f3928cc4843af65e2c369e96abedf4be802739e52bda3478ba690de386

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
81KB

MD5
e4019e6ebc0a663df7c7edb07580f255

SHA1
b8825ba947f263f2c09cb4b71aba8209080f8073

SHA256
c7d28de7e5503b5ca73e696ce3fb7abb90e9e6bcda338ed8ce7053d5b45a8eaf

SHA512
bb1fc8e0de99f171e641298f81db0f8461b904ea7d0e8d33eb7c9f8560b4593a31a6778bf95c71c0f2c53b61079da15c0b1ebd57f9626207a309da28c073a006

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
dcecff5d9fce97c0a13861722a156ed6

SHA1
791b2a8946cff7d86e3351fe59475eb9795886be

SHA256
b100b6d071e6fa34f4db537cd7e09f94d9ffa23e5d401535151749fd50c9a778

SHA512
c7575d544621744b00c39934bce325b6ec006f1c079e54c588ee1e5a9ae064a553c31d0042f002fbb6ec3a662cdf3435e49db23b1f1f32c8b5ae1df77a5b2f23

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
12KB

MD5
db5074e455452ed93fa4ea03c5770354

SHA1
3472fcd9808ad35e9214144e76eb75b21d88a786

SHA256
d700681cd14e2829e8170c383a023aa3dedcf20964ff03644ca81c533f7d9424

SHA512
aa862b76ea04967d46a278159cfcf8412a4b503cf1afab9b61ed97ba118450917f8f7a4c004fdc6f057168ac06736318381f1679248a18aa91e6ef0115ba2bf6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
2.5MB

MD5
24715d504c58e53da98ae294e93fa1fd

SHA1
5e1b8834002663072e38152a9ff295cc86ec2f25

SHA256
c2d43e461b025c8d708be2591b91a03c14680b14fa2b3117cb31bb0a4b1861ae

SHA512
041c9d94a49bae84490bb8f1ae42c24ea2504f78a27b213fe5c7b16efc14c420dbc14e3ab2484e34394e8fc49c23d415eb710b6ded54b8efe23cb64c92d0f355

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
80KB

MD5
3ebab7c9216638f90494830589020f0f

SHA1
446598d93d76ef2ac1aba9fe13ae3d64f70526d5

SHA256
0d1746ec5da28f8eb94b2c238a86b75e8acddbd820e8a685f1ed63390b6ef8dc

SHA512
f72cba38e725170a998f9d54b19cc0a2ffabe8c5dd6187408726060cafd0d50ae0309c36e4cdf8188092f0cbbcac106b5b4ae8167d4a83d17d3748da51c9c789

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
80KB

MD5
7c58b3025688f10b0bcedd3e75d6c044

SHA1
229efbe02d68caef7532c826fca1e4c16226be61

SHA256
bc3cb7103a9fad686820d39e078374aa61b6b49ceae52351224b3bea1bb629cc

SHA512
98e9d899dc64885f9875f79396a5e8c2c3f66f75ce36ae976e51a0c4f7c989aae10f0c8f81436313c01564dc4a6f9097fc9608e10028c45639867ce1c696cadc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
728KB

MD5
230a7da172253b26108f71e245818c0b

SHA1
c1b8e48fff683d59d565e9396801254906c16f5a

SHA256
09e87b0e63597e67fed6757ca09d4b7f84813f3566a933d5a1e0665d2f0c764e

SHA512
a79f0eb8eedd930f079e372d79ce38a4c098ee9740b1c83b1af960e2d58a17b5a230b6fa35a8b3fdc11225b68a6cf13ae12422da7379e6857f62c0608ae3f627

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
711KB

MD5
6ff2030694bc6fc57330b84d61092f32

SHA1
695ff4ee770fc9c4535d1eb526801a7d3c7e1f38

SHA256
865167fa6775bf3c093ba61ba077b0df8d4367a53cd310ecc77c0fc11454171c

SHA512
c719a56a1bcfbb7726b22ad25a0b74278ad120988953f63c2a6f0c50e37c63ccd99473e797a957f9d9b46040208b8c5e900e16cb0d1e6b7be97395716ac16f3d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
6.7MB

MD5
c22e4b67da24c0061dce0a4e7ef177cf

SHA1
cb94a64e386c1d4ee730b504c10a17dd2268ffe8

SHA256
57ec144fd0eca65c9ff0562f92cc851a649877b53eae5851a89aec0dda08350b

SHA512
3921fcea5a003c7391571e511850d153bb4f9dd5f69f44c7de13639a0c96d7cc9c8f8b955a62a7263fd95ff208f83722e0c07ef1ddf1652b6450890c446b49a0

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
664KB

MD5
efd113e64bdc67d21a63f9c87b3fdcef

SHA1
42c8c36c10c2b64920b16be47e4f3d487eef6cc5

SHA256
094912a314859050d6ada89c660864f2f100a5df672b5938df21e8c409b40249

SHA512
fb2af6a1af7034ef04674bc214ea2e1ea6a2c5e93ba9351b94655f7937f8205d65fcabb6f4f06e3188f020fbbc5f4a81230366f5ffd844a34f436846cc069250

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
1.0MB

MD5
6621eb23ec17ed9d449092aa85d6001b

SHA1
e8f2a3209132fe3be3bd6835b04d7a43c049a69a

SHA256
900609cc895499822b8e6181dd6fec1f63933f73c31f2c560a47288a5d7de3c0

SHA512
d79c62dea14125ac3134c4678afb5cf58fadfee321e67476bcfe5756a4557eda8f1f0cd32b46fa35fbf7889292233fc5dec066ebedc8a54f07c1ab4962ab569a

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
d664b8f73b6f3c3b60fa2ae23114d964

SHA1
df0c1330e0108c422b776d3e9bb5f3eb985aa645

SHA256
856af2d772d5ba40232ae89bfd047177c4cb5f54d394160ad440054ecfb57feb

SHA512
73bc43844da79cff10f6a45de57d586f207d0079f901e475539ee1d3fdfa4be920e3141ce56ada9d06bd3a19139ef1afe9eb005bf33950cbd771a5c2a005243f

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
7e571c056b6db700c5996d4bcc479e23

SHA1
53418a902251b42f0d74086d2c4763c65e4794ba

SHA256
003d7fda236e60a8d1b41f1e45d6065728b32a6fe68cc1456570dd839d9f12af

SHA512
d363124a6c2b7d4f183540cf37e7d9d5f1db7e4e7004e5a9b9f6d551458128a79376be06a12c4d8beaff6029f2d0f1b92ae91597f65ab5ff778558af0aeb01ec

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
32KB

MD5
a579414a34543f629d7c358bced166e9

SHA1
af8e4237a08fa19162118efeafd5273cc7c3e330

SHA256
8adfc2d735e46d84e5b72a52c3254383785a474c8254ce9c8dfe050ff16b1f0c

SHA512
acdc318bf99592fcd588946bc906a0d0f51f5dc83fefb9c9b0a17deeaf5a0b3c728c62d4ce16dbf16f97e0c94111850e39c2447d7f9cb70a2616f1679dac4a72

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
181KB

MD5
ecb7bf7c2fc03ce1b2caec74c1014838

SHA1
70529ecee2e1863af7eae29979e6f952b52cc253

SHA256
a964068222e26087689e555bf17c0ff5bc9c7b67dbe3cfa43e6b2f521cc78b8f

SHA512
a6565ffc11284c87138407086a5b2897874c264013c99aff9e4890374de72f848ebb9a74e7d26bcb607322bf6bb45c333e7bfc3250b3271eb7006bd23a841edd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
588KB

MD5
7750a0f48947876debac335b54ea74b3

SHA1
b265ee2c9b38b0d27594e8b07c81a21fd4d39778

SHA256
85d98df692364bad63090b9592e548af79d04cb821a03bed4b3a4568a3ac4bfc

SHA512
26cd51172c73eb1fd3f5a2bb58123339325e7a0c8ba5b84ecb80cdd69e89ee5aaef7c7843b9979cb83c545dfe3a091b8460729d56067e62adff2cd6416d32aef

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
895KB

MD5
cf095ea0e16a11edffb5389808e7e1f0

SHA1
0f680494c24d3a2eaf5a6b33188836d1d50b2544

SHA256
3f66598a6aacd31a1f1866b9e78b713472abf0a766aede8fada0c28c1f39db30

SHA512
d9ebd6ca828f3a2591f00b83e9ee8b4f2dfbaa0cd7fb1f609cdf5c83e7a4bd27c800fd4531aa5049b391314410660a7ce6a9ad4506882f90432efa1c6a4ec6f5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp
Filesize
80KB

MD5
9c3e8cd8610dddee750ec19c303a3b3a

SHA1
1e852f6c4228733fd5d4e7bf79087f10bedc3558

SHA256
88795b727409c5fe6eb3950d7af17049f582a9d2d2d222a940d732effc2ac478

SHA512
30205cbba651a80ca91d305710e91e75245289b57cc9b886bb3d83de7c00ca5fb39478caf5f9caa8ed9f8af0c012f5da0981734b85a8d40447503cfe13474cd7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
67d7cb25d2a584a2ca38aabcc5a25341

SHA1
e17c385c8aee2a5c63c5d6ca80ad71348835e223

SHA256
c6b2f19cc322fd415710b5f5af1a55f8d683726d664ca512e343f3cbcafea00a

SHA512
47e917434f4200ccea467d06a7ed9681c6b8a8337127ea4b87bf77e6e3022b0e2ee9449cf5c062ae8d87c75c9c9f72e88ffe6ed2996ddd49980c85468ee65372

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
711KB

MD5
81b24b1e10fbe9e009b4d69decbe949a

SHA1
80e34b478d4b724a4f711d4899a5b1289c2abfca

SHA256
fba22415634acfaa696532bc11ded4497ca8c0a37669a0eedb9fe587b8b07aa9

SHA512
97240f60a1db1604c0808619391ee190733ec7e7c65450a3867dc780a70d4698b39c79c99702aef392f2b669de2bc21bc88510e57f18d768db0fa7672d1e84ad

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
85KB

MD5
405d7e460e03a730c7497202e43cfe1f

SHA1
bb02ff04989d63133008347660570b70bdae7615

SHA256
93abba49cb859ebe16e4d57a8ea475158390be45944f3f272d5d92c9eadb8824

SHA512
9c80f534b16b47aa37ac46b4c0b90bbfe8bbb896ee38d59b99c315d6c0a200064171478621fd641b956b8b07ab19404536872e493388e7a0b204fee674edc837

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
83KB

MD5
b5b1b7d948a6cad593972246d1ef2594

SHA1
265d7acdd36fc4566ead072439e60f8a73376bfc

SHA256
38d1a1157c015cd6c3ac51a55f9881ebf6c619603b5b6004e0861feee1eaf696

SHA512
b994b6acfa07e062f30d5a9d7b43787537c04122b8c0a23ae72b19c9e630823c1c9b128c298aff4d5ab878d86b0bcb7feb06f507c13a2789532c92390378b42c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
512KB

MD5
22131eec47fcabbe52d17d9e17e78bc2

SHA1
607f7e4401bb052f6c50b63034e708fb2d98f2ff

SHA256
27da4a7be881ae5b20bde0d2b5730c55eca5cfd2f2e3f7cc2512a4a2d5a7d955

SHA512
c63e5f94327a02edb553041ca34f2d723bdf137591558e6bc909061dab5faaed0de938757c29c556d490eb2dee5040d753e524ef79e1edcd1b76606e438abbd8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
76KB

MD5
34c64b7215b0ff36c57afa7928fae0d1

SHA1
7296dfe1acfe5e45769839a0a726a40d4de79686

SHA256
79102393a74b9ffbaaf4be00373e5942b9961ff7ae1d71134c78643973b4dfac

SHA512
87b45128eb70fe6b7d5f97f39421c1017547a0117bcbc73ded2f5698e24d4a1c99d50fada9258ec1a4ae4a16dc4073e766ed24018548c2bbc4452f4943cb6423

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
80KB

MD5
f8de4fecb2ba2e3a964df6befce63500

SHA1
1484dd87cf60ff3a7dea208f55af9d84ee5ffbd7

SHA256
78ae70d583bc3d473d6b8c09df21febc3ea084c534585f5ee3e71b3402bf2771

SHA512
4f50bc3039c5f4bed4cb6978e99197c911e63be07e9dafff54e330b9f64e9a7297fadfeda3ec8a567cd5f102493752bc6fefb885b5fa25b0bc2367d648d8b793

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp
Filesize
32KB

MD5
b8ed03623613ebecb1e953aee5a3aed2

SHA1
93703bb14fb84f98addae16cfedd0e6cd7ca1dfe

SHA256
b76af898fcba2e573bdfb6e9be6da69d026b899e274cc8d50701578b0684865a

SHA512
870c757c02f650e4890d981bfa49a5413eedeb0dc6bfe222c63980d810baf1b005acfc01fdae628390154a6525f1e71463cd3162a0da2c245c9b013112034de7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
80KB

MD5
456092bef1297f6a172fdaed88b64b6d

SHA1
21799cf9a6579eebfe04442a5aed945dc85a0644

SHA256
c2cbaf3948bee4087b5b1062448a9e95a47bc7c135ac375174200ebc62cbcd53

SHA512
5237e66d2b5a78640815e201435d60e636c0ff6e05180472977581f8dec5ff594073291f531b82853888565a65b1241a68bbea71dc407e1b9226f347bf4f966e

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
1.0MB

MD5
a29e3d371d1db8dd7e78d47608ee1109

SHA1
5d47ff49d9a4a20b9826d81203d395b0749c068a

SHA256
12073acda723901c65cf03e6464183e1941e2f3e536eae05f8afd2ebb4525a37

SHA512
21e22caf030d15edbffd5b7ab11a5a6c3d1f5b2e80f14286927f77fb7b6a32f9d068f215ab16ab44bc03ba7c8eb7f3df2b6ca2aaefe834f23f5184effd9f64eb

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
56KB

MD5
212e9bf447efb11daee79130e21ddba7

SHA1
c08940a3e89822eb2b0438ccb503edc1fe3c2420

SHA256
8ddb4db6a1d161689063d8555c13cd42cb81d68ebca912054a986e97fa0bb8c0

SHA512
fafd2015ad3ac1ce71318af8b7e57eff3e5c4bffea292638c2d6e5aa152b4b68d286c600e7231f180f4181e7ef0a220abb08a27495982ade4be5b45c0230a159

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
714KB

MD5
7ffab27f6e374184b3ec93c4686be70c

SHA1
adc325436e71ce7aab26555960ce96641b026a63

SHA256
36631597cfa00666b902716e0f63b9a86eab7838575c9e620247546e68688195

SHA512
2f007366dce123ba84132d6c59505867c086045c3dd84b6b54a53daca8121190795bcfdf946655a6b27bed5943b9704663030fbbaea5fadc5634463043526f17

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
711KB

MD5
ac8756b80ba7bf7c1033b7222e3a10a1

SHA1
831e0e9a8e035079467f79eb6d4e344ae6d23423

SHA256
9504850d4540482a93c948856e8137a4ded5c7589a1e45a6ac9ebaf6767963db

SHA512
606d4c4d70cf2e51bae3d543154d24971e345389629fb829fb4817eaac01948d892be794851adea57e32a6967a933b0e620b056efdab8f1b36303a35eb672d79

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
Filesize
26.8MB

MD5
1891a4896dbd3d2f59f9e46ebe39f8ca

SHA1
39c5e23ef24a79787af7ce686d513d704ba22307

SHA256
520b9d2f29cfa1d14fdaa7c79033d24a325cb941043d8132070474d30c40b4db

SHA512
a485ead8a2a8edbefacee621612332bddb1aae572dea959ce874bd002b6a101753c65e6b91f1426f25d5b4c9e6abed2a95cc6f0512faa6540f276c28904d9d9d

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.tmp
Filesize
104KB

MD5
25f915845c2ced20ba4dac5aebcc794d

SHA1
fd5bfd514291f9444e69f4cf185498fa64480692

SHA256
acef790646e0d6ad574f21e9548a2812eeeb8ca7b062d4fba47629cacd3a46b3

SHA512
7cdea055fa7369fe174aba8a9b0a25315ab85c0bb4f65a03b34de60178feed05095737c664566341164dfc84916141bf13ee1fbd2a8b2f7daa047b6392ad0d2e

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe
Filesize
189KB

MD5
7f0879f19f67b21ac6c4241ad346f47b

SHA1
a0a1ceeca31bbb19742073752cef746a26e53f92

SHA256
07398bacd4c9d70deaa3eb5a8234765403213a8fa8557562d3312bbd9b707743

SHA512
33e64a06de49ab8e23b831337db78653af17f3c984d85ffb9f50df740325805f870ec67579b67b3700d9c5c99affb7990b0cde7a0727fd3851cfbf8255e6501f

Download Submit
C:\Program Files\7-Zip\7z.dll.tmp
Filesize
1.8MB

MD5
e0c91531e0e42bf7d4ef81256e2afb68

SHA1
4f727dc22acc56ae4f7d8615fd6f8fbd0747046d

SHA256
0d82cf963dbc67f98fe6c5afa5ad1b60d5c8ee4f4ef2f165fc701a35479785a6

SHA512
3aa66d2d7ce83e8ecf8e0f15c27e596758666f9835ac45410baf0d09d4e9d3007d521e4e838a70f509a0d84584631ff06d793f0491e555f874db5e78d1e0e06c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
620KB

MD5
fe763134824f04ef66065e8c3529c696

SHA1
684c7be469a043a45b4ce98e4b5f391a5cfb3d0f

SHA256
303e512dd96fa4afbd055b526898ce75e44e8b61a723fae459d67481c097b543

SHA512
533189c0268f8604e2d1c1f0427cbe51fe0d5f1f7246bc26d0ab30ee08125a521f961c5ae9b12cb9d4c6880538485860984a1ea2bd2e9d1f6743b9b92bff3345

Download Submit
C:\Program Files\7-Zip\7z.sfx.tmp
Filesize
285KB

MD5
1feea76791c7ead5e5f97905cc5a1322

SHA1
0558cd554647a47d9c009c56568ec0dba182045b

SHA256
9c8746c2b682857db5a79bdce8daa625291d15117a58590102b725473fb82304

SHA512
19c14d993746f483170caee8b5a004a0d04d83f749b47efebd72086e1a54c3f7f1c06023d6fd720b41cc85d75cd960ac940f02259dd76cffee4f0a2c7a2c09d8

Download Submit
C:\Program Files\7-Zip\7zCon.sfx.tmp
Filesize
264KB

MD5
732f364f635daee17abc9354b35c53a7

SHA1
8021489538ffab121a82613c97cbed39c88e82e1

SHA256
8c43ae6cdd48a2f09bf8b3bdf477d74a42d3243cf2762f88f78003cb0289d986

SHA512
8f158e22d9af358eafc993b429c7dab431f4acd423bb2ff317ca88f5041a0bca7a9783bdd9c878504d006282b9a9479789b3aa0a1102953f9a479cb473adfa50

Download Submit
C:\Program Files\7-Zip\7zFM.exe.tmp
Filesize
1006KB

MD5
00937f50145230ee64ffda7c3482decc

SHA1
ee11e86e9e32a7e04aa22646bf5602c4cd641731

SHA256
d9e6b5f79ee0c864cb24f7bc69adaee755ae55635ff70acd326ee90f2edfade5

SHA512
d45a01a9afbe696410212ea59f5dbe8d870cc66b96aa062fbc0f704dd5926cd9a2df58575987149ef6ef0bbde7fb7147d5fdae00c4e86da60d54f8b4780b29c4

Download Submit
C:\Program Files\7-Zip\7zG.exe.tmp
Filesize
80KB

MD5
31cf242ad50081dd4939da8e8c9f24d4

SHA1
efeeb4e59867fac7d25f1e2bc18b6c5de76dedfe

SHA256
8e2da4e21bbbcd307bb849fbdf0878fea714ce0b86cdd28fd5e9319e27f8ba16

SHA512
7f07955936c68a8b79adf66bd49d976785b619b13ece54690277ebbb209a9480b348e0fda13843d6116c8e3d458fb842241353c94ad10babb98fa2c6211e549a

Download Submit
\Users\Admin\AppData\Local\Temp\_KB2919355.nuspec.exe
Filesize
76KB

MD5
4bb251cb77b376f37f065cd717c07a4c

SHA1
95ffb14406ed6f637f0e2768b519bb339a4e2e8c

SHA256
6c2a53b2865e33f2b9dd3073a4b9255e2c0242ff8520602858ad299e980c2b69

SHA512
07195f12ac37dd91f49e35764491319aee4f72e9785018291f6db930ceef8ff5a38f7fb9e2d36f3cfaae84c79b00b1f90806cf60f8461540900f87f9fea0179b

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
72KB

MD5
91d3e21ecb3b3a942d88fd8245383978

SHA1
5afa4c1f456a92adf42c0c1c3315402bd4d4bb1f

SHA256
70eed4d2d51eba4303cde9c9401931f960479473db7586caf3c5f13d5ff9cc93

SHA512
4386b5578c3c248c9809a4912bc560c8e4fe4924fb33eb04827132d1f8112d9c1a87a24353397b103b72aacaa94a7c74674ba992570ffefe5aa67bfa0db93e3e

Download Submit
memory/2356-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-8-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/2356-25-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/2356-687-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/2356-226-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2744-14-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads