3f22d670a1b2b1c6d4cb12a5553a57d88849620a0c55f371dd627d9e938c4e3d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
Size

163KB
MD5

3ed3cdf82a46f3edf5e4d7cacf8230e0
SHA1

b0006168edd5ee8d6e299ad7825cd35efdee8006
SHA256

3f22d670a1b2b1c6d4cb12a5553a57d88849620a0c55f371dd627d9e938c4e3d
SHA512

1320e2b2b252c68f406fffcc578dafee8a10309d440fcd0ed647a4531e17b17af6d783573e13e563ddfcf4a726cd4a79ea6faf1f1d83d0e1f51319d17484b9f1
SSDEEP

3072:6DWpwE7oL2e+efZwZ/DWpwE7oL2e+efZwZvXC:dN/e+efiwN/e+efipXC

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5486) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_Get-AppInstallLocation.ps1.exeZombie.exe

pid process

1840 _Get-AppInstallLocation.ps1.exe
1664 Zombie.exe

pid	process
1840	_Get-AppInstallLocation.ps1.exe
1664	Zombie.exe

Loads dropped DLL 6 IoCs

Processes:

3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe_Get-AppInstallLocation.ps1.exe

pid	process
1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
1840	_Get-AppInstallLocation.ps1.exe
1840	_Get-AppInstallLocation.ps1.exe
1840	_Get-AppInstallLocation.ps1.exe

Drops file in System32 directory 2 IoCs

Processes:

3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

_Get-AppInstallLocation.ps1.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Windows Journal\de-DE\PDIALOG.exe.mui.tmp	_Get-AppInstallLocation.ps1.exe
File opened for modification	C:\Program Files\WaitRead.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.exe.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	_Get-AppInstallLocation.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe

description	pid	process	target process
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1840	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	_Get-AppInstallLocation.ps1.exe
PID 1656 wrote to memory of 1664	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	Zombie.exe
PID 1656 wrote to memory of 1664	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	Zombie.exe
PID 1656 wrote to memory of 1664	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	Zombie.exe
PID 1656 wrote to memory of 1664	1656	3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ed3cdf82a46f3edf5e4d7cacf8230e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1664

C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
"_Get-AppInstallLocation.ps1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1840

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp
Filesize
84KB

MD5
b1a1bfc3021bfc97ac4eace82117561e

SHA1
62a365c2af3f27c1aed6a89320475d7c138565d3

SHA256
a8865cc76a395c08a5253204936b172aae74f43a1dc768952fb474794ffdc308

SHA512
c5fe23f7f2023b72080109ee82e90bb091d89ee0b34159871756883f9b019a50308b2acd45c856111851b6c4d437b83e264338eac87afae9529ffb673e0c76bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
bc5238db7a790d8f2ad8d873df66e059

SHA1
ee9c603c07c6d2808927a392b93c4bc469066d0e

SHA256
becd1510437eee62ad2a209ae20abfb020a52d4d9dc83d2def946fc3ccec6535

SHA512
7dbe498cc5bd445646a501b330b595931374d4628b07672ad6bb51062c0536fc7d18d604f969e360bb901a766bc8b9eb5c4fe8bd298cd722d82250e2ef8fcde4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
3.0MB

MD5
c1e8594910c5a8d5586918df2668f1ae

SHA1
65646d83aac4ad4ee8fa9ca433a76c6546c09556

SHA256
c2ed444ee501e388dddb6605b291ca95adfdfbe27cc68083f3b3f5aa4c25e4a2

SHA512
5a4b1ffaf67f6ddcc0a0ffa707f1218c536ef7986755e1d0b8e9df630d15ac8676113fc6cce6fab8fec795ed1038d7eaf3063d31b5cfe13a1e2035d7b2a30168

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.3MB

MD5
c3ebcb834bcf68b7dae6afc5dfb826f6

SHA1
1c8813ccf57fb3d39468e6e74b6df0535c1caf8d

SHA256
f3291fd67124c3b3a20235a0e390e65cbf3f0bccded5a4a78342c1ff482566ed

SHA512
191c7a7260dc0d14d08a35637a79e5ac439678eb7fea0e8ec14c7c4a4f27d39a23290850adf1d7b48d7cb2450e3921995c250f2e5afe665723a944b0e162917b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
41d05c51053c040ec2dedcfae123edfb

SHA1
1463f9567a92bb722b5ebb1dde3258ffbc3a9163

SHA256
e5bb12130dd46c189ff72b10a8d4710790045e29ae604676d627efb8ce7805b8

SHA512
9ba763e05acb1897f3457a4fe56d4bd1cc02e20aef98b2ec3737ff460e52693755b00baf32393d2214f91b5ba69d2d6da4104f888e115386e8f9702f0f7e2e3d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
230KB

MD5
8d73d63865770439c0aa3e0a831b17bc

SHA1
41c315732696c67d51ee6942259198404d448433

SHA256
0e47a8866cdb4faedb90abb25cf9a1d17cc63ed95eac38f6720ac7c55cdf5d17

SHA512
910845be430489b7ea77a75c08e9b1a243d0ec1ebd1400af5dfec6cf80bf71cbe7c5cd6d9d801719244d03ba8ae246d37268940359ce4011749187eaa4148488

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
6fafad6eb267597cdcdd006fbe1d5293

SHA1
ee0c76eff50d869a241e46dc13d4539babd7fbe4

SHA256
8b986c6e31118fd5c68342618aa1e9ea3a8a78ecf0599068ee85df15796bbadd

SHA512
eabc151ecc026a458184520237b6d49ae4dc1e6022f67de580107d5abc5720b164f339688205f07c2e5ddefa3fdcb59df98f9a240c27ba1129e38498df6fce98

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
48dfab130c04cbf6c3fcf3c4f78efded

SHA1
1da9e1ac28f391dc2f47a5730973ce4fa4a1afb3

SHA256
6fd261baebad4dd1a320e2d11150ae81072b1f5aada774f9a2daae25b619fe5f

SHA512
1f6aa73bbbe0bb44bf526927ddb2b64f8316f2247b4a1fd9ed64222464b013112c578871862303b22185837cd8e4f9e9578c4925f0c8183c2eb2638e5791a959

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
22bacecfb3e629d9529962c10c386952

SHA1
1f9e6e0d70258a5967df9c95276284f7f1e37799

SHA256
03b2adcf1ae89016dcdfce78f8585c54f0ba97979cd20a352739bf7e3595bc52

SHA512
2651aff71d762f68ff843465f4abee85ca57d112fd659193bb2ddd5e37b36232295c780ae651d79a17498f1ec5f3f94a82ac71b6a40d57866b145745c33aee7a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe
Filesize
1.8MB

MD5
45608011fb9cdf71b0142a5bf1ab8bc0

SHA1
33038b3869287e14d37eb4267a40d9886ae86c1d

SHA256
bdde344a74ad97b6354d74c9949e7a2f48ec2290475a05db52c187883324d14e

SHA512
c509afc79769e3910d80114822da6b88297c10d7c033c22ad7f888cb256d814164d72b2051055d8101699c9d4a193d9dc8bd3e30a6d772918f7e5522a999fa88

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
f7dc32064ba15c280d550a09022e95c8

SHA1
2bf0f02d6785b9d923ac0256673ab2cebcfd461a

SHA256
7fa63d2721e9b2887cd62700f5a2d5f910afdfccf8bb35552f19115d53bc8d0c

SHA512
78aa03b25acb9205c4b11d09ed77c4b452b846a0c3cdf8ddaf82919317ffa35ddda133ab93dacc5a02716c9fffa44b4b1d03443ccc1fe3c40375a9c030047592

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
0f2129a726ac8a9bc7f3313d2a4789b5

SHA1
54f7126fe18cc91314ab5d2b83dc6a64e0be604f

SHA256
b1471aee060e22e1425f25c28f0c7af38de3108a154205c28f5afc6eee87a3aa

SHA512
7bbb5386444f31f925a5da2ec35ddb0873f8d80566e51bb01652072431744628edd61997c5800b7f5be8e9d4ec65187d319c90074cb12044201932b37ad96a9d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
4b6269e5c32362e92aca52f16db5f92e

SHA1
125e95fd4441203f27943124c04a27ea4ebc3558

SHA256
7fe16bfbf2f086ea4a04bad578955c27099f17a839ad0bf0e023c3fae3b00b8a

SHA512
f38bb40d9aea83d5923f7883d4f23a6fdcd25bfc664cb38919d67614141a1f5e7b860c8ed3a0d547fff918a37cb9f65bde5ff04f6de6a472165777a81c5abae8

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
89KB

MD5
5f3b1e5943d4c0689c7c75a1ea98329d

SHA1
d4faef082d8dbe89ec21c173f34c4c022502429d

SHA256
cbc06a54e72a931f142b7941a6306bbbe53d1a88ced9cec003546e8878ea8aaa

SHA512
5acec30259aeddf0fe18e168e54e4e10d182c73e2fca19d9b0ce626278930b8e58478bb895661310758a2f518d810ccaed9b27bbfc66aef73bd4ceadf8f91a7e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
95ae721bbe4dff225156466474915cde

SHA1
a28c5fabda8dce3c2e37e80e51ffedbdeb1e716f

SHA256
86c0fc4374c96ffa889edb3d649850079b0b0c8e89115b7fe1dd41e2ef3fe717

SHA512
1230702662441052610d0132b87f3746930fdce93b3344d7b02c68c89fdbbe3c401ee23d542ae6d470511aef36e0ddfd63bd6125776c12f454a7faf4c3a91c92

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
866c83ade04a56054e0c0cd83b7d6373

SHA1
e96bb1555dd8ba040ee1a7125fc69d9014a9389f

SHA256
2663abfbc7795ede2f7e273ab54794b48b5fcc94a5c72e000e475c2c70c49e28

SHA512
539839b1194f7bdd40e8e700e4d593fd4acdef253a73a8fc6b5af2cc1467f2f59359e4627fd2861c0c57ec51758e362929aa23cc08af268c97a0f02ea1fde4b1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
644915e8702a8c518bb8c62159f3421d

SHA1
44791e9f476c2fdff7871f8010d05a5c93eb5d9d

SHA256
11ef1e5e8f142392c68e4feba4584632f3cf13f946e3c1f35019467d280ff7f0

SHA512
2a28b6c0addf1295ce4d0194df86a2087477b8a2ed7b0aacf9b5aabcace83b9a8ecf9947ac425f44e91b589fb727946e124456e12f4965516ce3b4d2ae4c84e0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp
Filesize
84KB

MD5
38c98a486fa359155726882636ee8dea

SHA1
eaa3d6378c580bb63b85e5b79d9fcac89bd2e711

SHA256
09cd42757e4e90e08d731fc1df344f23666517bdae16518e8264e5f27a633baa

SHA512
cb77634a36ff5f192045c603ce52b3e4887224ad7d8ad869ea80b5ec5bcb0058238bf706c8a8a90687ae3a33c4f75afdaa2db6f95058100bfeb02350b06de26b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
12.7MB

MD5
19f42860a77bae0b8c6c4c8cbae29e12

SHA1
fac8c88b6d15ab2390936c907420e425b1e0a386

SHA256
7f990bf42edf286c151f9570de020418c9b4ed565215438ad145490e20d9f4c4

SHA512
41198af8fb4bf1e197c447594b69082479940c20f5ddd0242659d5caba89783882c676ef268361d90056ad8f0d7d7cf59bb145547173aa209a74b1362b682456

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
732KB

MD5
7d5dc5a5a07f09d8ad536654e7e4a1d2

SHA1
e02e1c5ea4a040ea9749f5202627559d9f37ad01

SHA256
cff28bf103329bec21d8f0e6391695ac0f2381d45470eba8dc1f9bc2ba21af95

SHA512
a0b2e735965388a9b7014c493e52c15bc468198dfec8cc7e6fc0f8cf1c1b1e3699310276c3c6fc22a8c4a21b0f1bf4d86f9c01fa9b680f9518a5ea4139e03bbd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
19.6MB

MD5
3d434371de812d870f423aeefdf254d6

SHA1
108f01eaf4b7df1cc3264330f0544f3229dc24e2

SHA256
55c6f48bc1097db453f70a195db85f39a00eb1043fc07b00706f8bac2ebae476

SHA512
f48f943cc467fae7a13c08393976a60a91121dae4b381a903e142e0afb7b34e0e67466d444b84bb3ec1c9a98487b2e631eb90e9f139e4778ef1fb6ce8639ab7d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
719KB

MD5
ce96e67a2741d5b9e7db401a4404ffec

SHA1
73f3faec1829e850df2f477e159ce386b093c857

SHA256
0a12e3f6879d20f196ae4c95b133f65b004b81617cdaca4c7db1ee452aabe5d2

SHA512
6ddc75b3923af9b9e2834b64e12faced171dac5bbde1f337311d6bf039c8f3d38fb68811d8b0e9f84f636e3910a0bea4ef92e81a13274f33394189cd99db6634

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
15.1MB

MD5
d236a7fe11bc9c9b7600a38d979fff13

SHA1
12f80660b292819fb2af4f20e2b515ce636e954f

SHA256
cc8a95ca7f109c9e1a7a4bc48ea3b10e5308204400160daee74b6bdf2afadc49

SHA512
9eb81f04600a29f48517ecd3e3534f625678ff55d671e5163fa2fdd5cb2fff94ac6976966a41f21c6a577898207284e5903ecdbe9cb84f39a21cff6f9cd6000f

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
5805b59b641a2facdee9b17ea622442e

SHA1
cb40fc67eeac71a22b630e02563dad4a9936c830

SHA256
66dd850309af68d3bfbd9af99d16b320ce4cba17e565c38d93790972f00a85ae

SHA512
a45cc2a9549bddc248c61c6fea56f734470076e3216244505b3bbf808516829184ad80755c5d94f56611801647c511274143c8cbe091e699a64bd428f04c5b35

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
724ef175f3242dd851dcef75da5e41b3

SHA1
c65a3d7add57d12e8316b5f363fdfd32bc179959

SHA256
46f30973d260d37a4c131351ea1ebdd3017c24f8f4886bcd165db03eadcafe56

SHA512
be240dbfb5fe9cdc821dce8faa0d179474bb0681d0695ac821766368d685d3852a2b24092dd95f3e6820034ab76163d1b0954dc561da9f01998f89c6d36a8418

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
16.7MB

MD5
c4f45a3b7a512fc8e87a7b8b0618d976

SHA1
9f2dd1c3bdd309d5f3fe59036c3de12f67957bd2

SHA256
b1d2fece6041ff0b3838405ed647d11b8c166bf8638adf18d6f809974932edf8

SHA512
1af1e2a7763d0991a77d9f59c2efd6d3d878c0791dea4fb8c2b3845f013442b9a45fbd6630509f28b9acd0126ea337780a4483920cee8ab87c46a911af08050a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
fe83a3e76b8a3420901d11dabc06afda

SHA1
bd5abe6639bf88b26ebad5f7e12cf86f83b7b206

SHA256
579a675e15b8fcae720d3f0b12cac6772ad7193507adbef5f6324e6c0f302f0e

SHA512
327baf97e8ba2ff646205dd494700b6eb6cc9d4888f4ad82d47822f333551453f7ce605e430fb3fd256cb447bd4162dbc0946c1adc9ec64cc5a9f567853dc22c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
190KB

MD5
366307fd01c646f628e54a2d93ac1b53

SHA1
0a6a2c52f0d0f14fbd668b6de5596da2a07d76f3

SHA256
31d7f2c2d46be6e8783debeeab5b9be88664362f5f180a371435073bab7404b7

SHA512
a0992e851781ba437fa6c3300aeb029944cbbf704637511be557455e6a9b38c516b4b57179a5288d92df21a0d2ba23ab1bc53ba2fb6e7b613a79e85fde842f4c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
903KB

MD5
f429f3d60b8495849b9b6f3a42db537e

SHA1
c0af4eee3bb2fa7ab8dd06749cebcaabfb18984b

SHA256
c52bf02d967b40135fddd6eff7a523142fc752af931cabb6e4d7169b00250d46

SHA512
9dbf1af7acd8bb363b516b37668bdffaa8fc76d27ad4283ff01a8e943f8654a30c08292bf873fda57baba877fa5c7c94ce7399ffb06431d71b6d950ce0fa4c51

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.7MB

MD5
0f1ff350961d042360ed5ac23d05dc8e

SHA1
20c42e18a3b8edac147f9da4e0cac7868bdf3512

SHA256
2ca255f50e9cdec860317a58fb31f3efa462b58cc3e6fa3e19755f72c12b4e77

SHA512
7bf2933da73e55b20638662cf8fe622c589ae21ac830ccfdc1b23f32dbe1f5604fef50b760e60773a592e852c5943106ddc89753bb64e95b1fbf73423972a67b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
040f323904a1119baf3cf79f96a826fb

SHA1
3c57425059465311438e161fd365c01a0e156b49

SHA256
5cb30bfe4edf9b574aab8f0949568d5be60a63ae1d184be2d244beb0fbff7022

SHA512
b982f05aacd217082a430e733b407073565621edf47bdc7e5722532b53cd8436042f07be1823cddc46960e8e2315b9b619e69c1e1f0ae7c6ed1f8f967c03407f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
719KB

MD5
f7547933af30000afdf2574f80b3d710

SHA1
0d1f3d7080f2c85e15df6105029b235dad7b6eeb

SHA256
d7ccb96b987e06319e825b89c098c650a7a0c07e1c0840c4bfa2514de0d7ed5f

SHA512
3592f95bba5a16f748c82fce323f3f26af98a53eab2618db5d30fc5f2ccc72087f18ea6d4cc3e455f2a0b488b138323777a5b78351d87014268670581e0e16e1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
91KB

MD5
59a28b4e6bddc843c97126e820c20bf9

SHA1
fcd4e4a5f974c13d28f3f9e19797f97024994e42

SHA256
3941602b42e8250641bc287769b0a1a00084ef75cc70dce29b83e513bcbbb724

SHA512
250a7b7ed3e159cb211b42b306701105e3e6cb566de8bf1b1c560fb3f218d0065f71931aea0665aa8117c50c5db3f31672c7547f336c2b0a72e6d2815207755b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
667KB

MD5
e437751051153a86c8003ceefafcdb5e

SHA1
9bcf1f6bd86dde9412c9bf3d78b5ece5813abb9b

SHA256
1acdd8f60d9c1b3b46297adf5ab6a60955b86281ab9f0c946ad2bfc9e25e6d76

SHA512
50dbcf763e4086ee78db2f9766e62bd906d23777179efcef4cd7c15cc985759c841c87321126f077baf8be379f620db80cc7d6bf24195161a7c6de46a9570e1d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
592KB

MD5
22b4cc6566c6ff6e2b487328d4c23f2a

SHA1
a7fef4c5f2427132ba9da3a9f3ae122d89d85e07

SHA256
997f993ea5b6c150610dc256a07e67269a6128774a8a493b5cb8edcd979d6ce2

SHA512
599d1335aeb13d440f445594436261de3bd5d00cdd1e30c6cc369e59f22bf50f1c8c82df7bdaed0eb98c4cb47611c3fa158143715000c2fcb01bf4bac890cbb2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
725KB

MD5
d0d958a2ba880745066f4c518acf98d7

SHA1
8c8eec3967f2afa3a1e6324abac2cb4b39af011b

SHA256
e1443ea41235f28a0aa5ddb6bf00f8556dfa9b08666158f9a9c9676c63edb1fe

SHA512
c64012455a5bcec2270557e007915ee3a494da26de6092c4aa49e3ba08df43fbcc69b47e6e78577782043d3056c142322ce4051bd4b39623011514871de39253

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp
Filesize
111KB

MD5
57be4a05034bece655d0439928c4354a

SHA1
2088a89c8c4afc4ac64476b21963151830474568

SHA256
0e3aacc6c0d9aa61145703d59b3fc20d5331d570586b6e93e75cc6718edd8b70

SHA512
3e4cf06e584dba62e8393f4af8bfa59a58a107dd4e3b71ef1dc1889bc4ad1e5690af7c96526443d834bd08330b05c08fa7b58a6ed848ab18be9166d18be8aba8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
150KB

MD5
73829214d3f1854993a21c44ef125243

SHA1
a9013164ec02a05be012182d58643c01fad8bceb

SHA256
d2c64a11ae7a40086608ab95ef0e39e8401158d4aceffd22ec47868defd46775

SHA512
6ea99faa26cf28edd0351d86faef31a7541d5b0e8d89f0a5b9e8c42092cad57f60818f9e79b38ced98038b452e982c211c0a3db1b9be0823ce32eda384fb47b3

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
1.2MB

MD5
140643abdc937be7f2b9d25855f54671

SHA1
eb8a4fb09b6f2078415caa390ceb4ab309d7e457

SHA256
0cfaeb6b60e61cef118dbab98eaf5a092c0ceacb9f35f7bebbeec609d5205bf7

SHA512
01053f7fd658a270402754d5ea8c6428767331b3ebc1cc4e397f24ec828828e06b96734afd241edeb1132d44181a8c6ac12386b3a6e2e12228f60708d2957ef0

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
723KB

MD5
447729400469d1e43260e3fca2a982f3

SHA1
b7b2f72165c5216d352fbeebb0cd2e04eaae7bd7

SHA256
a4277815b065d78b7ddd884efa29ef879d43ab8e58dd87d2e098b7442829a89a

SHA512
bca939d526cb525275cb0eb5cbbddd7cec279ed0ce948d7fdf6f99e5b70e7f7f60555bcf7ace99fd574b7d61748b8aa61fce68689b302dbafa00af804e06fb9a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
719KB

MD5
c83b58d5872a582a6c33442f260fbd60

SHA1
8f82b539273e5ea5e5503e87c4d3ecd7851d81af

SHA256
fa6f1ebcef6ee792d1b51f73b8a524651a17196bd736099fee1963098d4bc5d0

SHA512
31f24683d9243a55076bbf551a9f55963ac7fd77a387180e3bf7c159b3e5b347796f85e50b2bb6e0fc2a1d97ac518221c5d93a222b123c5f22c4beda4ae0478c

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp
Filesize
86KB

MD5
1b388e1d2cdb1a89e224338467e2c7b2

SHA1
ede6dbd17c6b346455e4859cde28516f1f26c4d3

SHA256
fbdc37e26cecc51eac0d20b77690acfef7473e716feb56ede2872a2bf2a1c30f

SHA512
43f31d59f60413eec7587ce55e0d8863faeddad987ccf5eea774390a804e29bb4677caa409c929ae8219ec6a1aba69327097c8c94260d26d6d52d88d2ddf93f1

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
89KB

MD5
9bfa1831f295db6dba8b255b122f46af

SHA1
9ecc5de40560e42e0cd0324a85a194bb71d6e8b1

SHA256
5c633d3ade695b778f1de45e332397fa87246d3a22f2115227dabd95935cc5b7

SHA512
d762601c17405594d02d54b5759306ea2fd5937224577e6812a51c0d776d8dccc0881469a1c75645f535e6c9b55daede54ed67cefe9e45b5fadf0f6d128e44ed

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
Filesize
26.8MB

MD5
c3e9020e4b6aad3721c9cf15666ebad2

SHA1
7948b096a53af1efb06eff43910e769d871acafa

SHA256
db7e3a6829517e42f8186e6316fd2c47ae3cb421b2729eed12ef85e9375162ab

SHA512
7d0efc78f62e7148d55ea91e06a666facc9663ecb9440afadf8665250eb0c5ab0f84014ecf8ba142460328475cc561f546f8e74a2a4d2ab842514869f9ae76ac

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
Filesize
1.8MB

MD5
c6bcd6f67ba535fcb4f4b5b31ee7316e

SHA1
7e2f0b3c036e1629baf90bb308c9c1457cd80fe0

SHA256
de61331f520188796aaf9515e67b9b871c365cffb31660034395c38c88bfcd62

SHA512
74e9d7524b21366bd40b023717ccb8cc8371d1c84eadcea564efab7614d21121c56fc813d07e0fb11ea013b95d6038dffa6b2dafb22aa7fe3cb4656685858ca7

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp
Filesize
719KB

MD5
910b83a166717acee3f7c18dd71f49e6

SHA1
8621ac5241a7299c55c1a3284f04223fd05283ff

SHA256
677fb1d01acd63eb703bd9a7765321d850b232b0965e959a489731c3c5c19c04

SHA512
dcdda35b9b805ee6bae721a1894aac355f48c7ed7d2ee6910ff80acb20c3e825768fe5e40e18742b1bc108b11b24eb1f0d0f76436b3392789a0b36c818088ef8

Download Submit
C:\Program Files\7-Zip\7-zip32.dll.tmp
Filesize
149KB

MD5
a4da165aab5a33462c1cb91dbe4db44b

SHA1
fa445ae3d1fc9737922f1ccb57ef4f0821604322

SHA256
0d1934336934e14ab06f4de663da9918fc88c321b0e7e39810c37ea7e5a20d2d

SHA512
5112762a07dbcbd7db762133e7bcc949513e9c61b68f247c64cedfb9b7978451632d941b825b1ac289768f9192da6bbd460555ef2365400e312200cb015adf93

Download Submit
C:\Program Files\7-Zip\7z.exe.tmp
Filesize
628KB

MD5
d1d1db6a8260fbe18d2cb3c4759263c9

SHA1
aaa03e54af8c055b6b930465cc36b0ac3ade5dc5

SHA256
b513785d9daa163b230f98ba6c87fb6242fafdeb7e711d79e51a39f1918a9bf3

SHA512
64593c842350fba5abe99889dda8ad0995c1a3a2bed4c686b5a7269cb14a01617be175612d30637e8c5f74b4db255631296b5a57356526ad77547e58417d64c8

Download Submit
C:\Program Files\7-Zip\7zFM.exe.tmp
Filesize
1015KB

MD5
14072ad848dd6434b8ef5d8a52b9ea23

SHA1
c350792d543894a1b9ed9f9819be7b78b6b8c3ee

SHA256
2393de1dadf6ece99473667d591697d041d903559b6dc7b2ce0eab1b15a207e9

SHA512
688a28460ab8550a25695460abd1cd05aca315991e2ca37d044f895ba11e2f8c0e73e36a31bda3ef58380de38e67cf93b1aeb641f750aec9b6e01bc54854893a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Get-AppInstallLocation.ps1.exe
Filesize
84KB

MD5
7e04d4a98e04aed55e7191be582f46c4

SHA1
1906a1ac4f881c11bee33ffc54e17ebee5dc7caa

SHA256
98ce4e0e6cd228b56f92856aeb0827f2f911cfda0ca77db9ede138535161d7bc

SHA512
08761b01a6a2361a81e1a878735e818528a17c58947510c9799836c6ec5944ad05a58a1339ad1b54a232e7861b30558b252a1588dd4c50e166972e6201550293

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
78KB

MD5
613f4932930307b7039b8551c1232f75

SHA1
6cc1ae14aadae56245008f80ba407501ad5fed4c

SHA256
5366283fd81dac1acea004a269a3323bb168abff114033a78d1affa201a75fbc

SHA512
0a5a0b70f4b4dc3680856d5c8c579d2df029df1673fd8f3c98eb5632408a77fab7ad093f05be549d5d8f13b9564f3fd11d02e9606dce20467e3b1ae4a01703b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads