Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 04:06
Behavioral task
behavioral1
Sample
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe
Resource
win10v2004-20240508-en
General
-
Target
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe
-
Size
267KB
-
MD5
040009fd5a5b8022863ca98628e001d2
-
SHA1
10896fd34cd6e4101df9f8eb50f813b340406c5f
-
SHA256
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c
-
SHA512
83e4f5354e600d1fbde6be7b345ffa942fe5d1ad44e7eafcffffbc4289cf1ac377f77c9e2d6ea35a2b351eaaffdd87d73fcfee0c13f37710b1edc845ed7de422
-
SSDEEP
6144:KmCAIuZAIuDMVtM/XSYmCAIuZAIuDMVtM/XSo:IAIuZAIuOYSKAIuZAIuOYSo
Malware Config
Signatures
-
Renames multiple (3669) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 53 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX \Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exe UPX C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp UPX behavioral1/memory/1936-19-0x0000000000320000-0x000000000032B000-memory.dmp UPX behavioral1/memory/1996-18-0x0000000000400000-0x000000000040B000-memory.dmp UPX \Windows\SysWOW64\Zombie.exe UPX C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe.tmp UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp UPX C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp UPX C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp UPX C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp UPX C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp UPX C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp UPX C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp UPX C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp UPX C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe UPX C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp UPX C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp UPX C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe UPX C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp UPX C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp UPX C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp UPX C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp UPX C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp UPX C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp UPX C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp UPX C:\Program Files\7-Zip\7-zip.chm.tmp UPX C:\Program Files\7-Zip\7z.dll.tmp UPX C:\Program Files\7-Zip\7z.dll.tmp UPX -
Executes dropped EXE 2 IoCs
Processes:
_Node.js command prompt.lnk.exeZombie.exepid process 1996 _Node.js command prompt.lnk.exe 2596 Zombie.exe -
Loads dropped DLL 4 IoCs
Processes:
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exepid process 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe -
Processes:
resource yara_rule behavioral1/memory/1936-0-0x0000000000400000-0x000000000040B000-memory.dmp upx \Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exe upx C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp upx behavioral1/memory/1936-19-0x0000000000320000-0x000000000032B000-memory.dmp upx behavioral1/memory/1996-18-0x0000000000400000-0x000000000040B000-memory.dmp upx \Windows\SysWOW64\Zombie.exe upx C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe.tmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp upx C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp upx C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp upx C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp upx C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp upx C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp upx C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp upx C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp upx C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp upx C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp upx C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe upx C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp upx C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp upx C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp upx C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp upx C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe upx C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp upx C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp upx C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp upx C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp upx C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp upx C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp upx C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp upx C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp upx C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp upx C:\Program Files\7-Zip\7-zip.chm.tmp upx C:\Program Files\7-Zip\7z.dll.tmp upx C:\Program Files\7-Zip\7z.dll.tmp upx -
Drops file in System32 directory 2 IoCs
Processes:
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
_Node.js command prompt.lnk.exeZombie.exedescription ioc process File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.tmp Zombie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp Zombie.exe File created C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll.tmp Zombie.exe File created C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll.tmp Zombie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp Zombie.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp Zombie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp Zombie.exe File created C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jre7\bin\npt.dll.tmp Zombie.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.tmp Zombie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Windows Media Player\ja-JP\WMPDMCCore.dll.mui.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp Zombie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp Zombie.exe File created C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.tmp Zombie.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp _Node.js command prompt.lnk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.tmp _Node.js command prompt.lnk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp Zombie.exe File created C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exedescription pid process target process PID 1936 wrote to memory of 1996 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe _Node.js command prompt.lnk.exe PID 1936 wrote to memory of 1996 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe _Node.js command prompt.lnk.exe PID 1936 wrote to memory of 1996 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe _Node.js command prompt.lnk.exe PID 1936 wrote to memory of 1996 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe _Node.js command prompt.lnk.exe PID 1936 wrote to memory of 2596 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe Zombie.exe PID 1936 wrote to memory of 2596 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe Zombie.exe PID 1936 wrote to memory of 2596 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe Zombie.exe PID 1936 wrote to memory of 2596 1936 cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe Zombie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe"C:\Users\Admin\AppData\Local\Temp\cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exe"_Node.js command prompt.lnk.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe.tmpFilesize
267KB
MD52f7bcde1493e6b14314107dbb19deadc
SHA126204c7ff15a1bf2e822c3a9d05db000092de3d3
SHA25651a443d87b29c7590a6a7439bbd2cf617b3a4d55504dddf650f6eba6ee0d6a43
SHA512fe934480cd107fb5940a5ef7944e5eecd68bdebd1bdf92c2d5067214c604d4bf4b49428372222718f95bbc19aff7c27e868075eac39fb77657100af445092921
-
C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmpFilesize
135KB
MD5256d01860c9f9678b0cf1cf6af43d9eb
SHA154e2c023799eecdee6f10af98dd69162582db8a8
SHA2563c678cb3436e08841bd3975296d77cec2def95a1ac1640a0ec48273368dee109
SHA512f9afa11d2b4d09be31e48bfb54d6377dcd85c44e54fde243ee1ac3b4a5f056592e0eacc889af19b8102e445f5c3ed2d9e9d959e0e942280feaf894d158453fd6
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmpFilesize
22.9MB
MD5b84efcaf0758d01ea8dc6bc8e9848daa
SHA12453b66674f67f18941454d4f7ea12e7318b7cf6
SHA2567a315ac101fdb5258c233f2d5431e8a76761e32b3d97d8fe81b218ded65adb26
SHA51203b8bea9e3fded8a48042ad3d97686c1a88b59de506033eec00c851e76b2337408e0eef651dbbdfc252fcedd1a02cf353da7de94770ce01ce93bb9e01fcdeee2
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmpFilesize
3.0MB
MD5a9e967ea982fe23e66bf2893a5e48e9f
SHA126c6370e5a7b005e12fa802eea9732f49e4acef9
SHA25634a16aa7be91671b56d150dcb37ec73f5eff46c0ab026180311cde994edf5096
SHA5125bfef8a4378320e7482d22e78473687a31fc5236bedc8cb5c02c87b63c7c0396f2564dc6141d3aa61f4bb4881b6f005a1e1b585e24fb25d1b34726545466397e
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmpFilesize
1.5MB
MD5a94b73ae2988974d2450dddd0cbc305d
SHA195f5ac8311912bcbb38a01f048a1f13898688dad
SHA2562d6bb8f036843296528f411620f99c3bbc5ec1631399a0b56bb3d6c0f5f64f87
SHA51215ed2d4fd8336e143a5bbc8e37e2ecdf9bc99a04c9d3b0c9429df3aa2857ec3bf829e48a1abeaaa632af0a126aa641b0b22ccf1458f2673dcea387160f7bc046
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exeFilesize
280KB
MD5d28ee14cb1a9e5496f85144ebfc4c025
SHA113095eda30d52979af5df6931f8a28235f4f1c77
SHA25643a135d4d6a8af1e6105b18b579f42cd0e792163e7a63ccca7b87efa30b85605
SHA512cafeb608c8a113c0e194294de85b7d9d98479e095b1f4ee28090421e8d3aea933be2ad38323334816642f2e07b4b9913791e7a77fdc92ab52f8a70a70d9ff4b2
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmpFilesize
5.7MB
MD5ef73d21ab0a7ad13fc8e7c7b821f2cc2
SHA1b489eece11cc9304d9047cb8c5d942020cf0af46
SHA256e50e6f280c202df4ccb30d219065c6e136a3ce1c12f9578e6fedba76035e5f52
SHA512be0f48e12fe6fd519144c87969710ca709da69d96136b7cee88cf9c17b99b5f5bca2aa375f677786161c50a8ee9d6a85cf07b9b0a21a319cdcad0314ce33fc9f
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmpFilesize
1.2MB
MD51aed59273a34ab7119837c0d565902b9
SHA1872908ffbb9a63d7e2361c3b68c19966d26b9921
SHA2565517765b08b9301f5ad116b9787d6772c0efe4d9f4c8e8d0d04bcd4949961ca9
SHA51234f1f4c416353f30e859c16f736478d86b4d0369632f982db3ee9acf62e682cdc172d7171b08c4d742c5589028e9b0d8624695e4c3b1beea99a2f428d3077bc9
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmpFilesize
136KB
MD50a0cb7043da59f8d525e403bdcacc9bf
SHA121426bbad09715eea4edca2b95d6f6154307baf9
SHA256af079a344468e6a8522e18156e654bcaca73cec5309c37bf4910e78bad045ac7
SHA51294b6fc6e7d6c94d2a75c29b8bb266f63d2ca62fcb86d6ddf02f72d45c6438271f7e64d491107060c5911689a58b6ed23108dc48356e60e275f0af4a950aedfa9
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmpFilesize
832KB
MD5d945e25d59f0f46a158a33503f3ec498
SHA1e5f5ba54053ead2f9a8480e4eb2bd6a2e01fc918
SHA256b10a9cd1cf13c8da5e89bcf15dd79044b7e645b686a3506d28c0d193e6664740
SHA5121ce9aafe322340ad1ca94495308a6b10e790fc5222b34d8e7a3d530aad8f481e32529c771c137d34b1022697296f1ede17f3f7d2bc92e3ca8bba89db3c9631eb
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmpFilesize
1.9MB
MD5881918c6d94ebdc138894f48de3a9f5c
SHA1f953c4c48428d5cb673a2864b83f184383194ec3
SHA256e61baf6418dcc877d77dee64ab9cce8d890f34d33068b18cef24200a6b6aad13
SHA512da2df4685ec5337dc01c7dc1a5437fdb49d7abe2b31a276b383f40d12a071f716b865a1f38455ff9c79a80806b7c050a4bb919ab790be268244d619fd16f3a78
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmpFilesize
135KB
MD59f31be5443e3ea85bce979744793d519
SHA16100e8dd5acca0376b7f346713b203cd6e175f0f
SHA25606db110e494cf84cbb4285767b4e051f9d153b056c228afd04e79ebaca1912e8
SHA512e0b77e6d86a7a8ccf7a314353c1005e7ee4c9b5fdfe7287abba6da84979d18fb249055089c5d2ee937520a45b6293adcc21971b9b7ca6d8668b22a41f25bea39
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmpFilesize
137KB
MD52f288e1871287520fe2cf8ff2642f484
SHA1a7208b626ef2e0610669b1046c4651b8f7687ded
SHA2566f13b92b5b9fe8ad0d1a3f90024b713948df2dceac7fc5553b677e6f787f3717
SHA5120a3fb70fd3099d19444a9295af4f190c6f4087ffa59de6fe072feae6aff0791defe8a5f9447df9f11bc136214443fd242eef771be8bac7314f1dc82f046e9d81
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmpFilesize
137KB
MD50c595e925ad7058173a0b18f02b81274
SHA1ea5c5f34796b68c93068eb8c11817e9f3fd0d2b5
SHA2565590a5421be42f775e937ef4a0ee3e542825227e68d8ab14f2c5b89f9f5aa519
SHA512d13fff2892ca07c1d7e907072264f3ab0e687907fbcc3fb050b7ab15e80d2579e08066ee5913389f46687b21d071f267a7e1e1d4d4fd10dcdc2ad4f09d775216
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmpFilesize
136KB
MD565bd34e733844a7a8e11e2936dfc86d1
SHA1aabfa562045331347fb38ea130de9ebdb6f82278
SHA2566a3f70221f7763b57c9469fe1495d8a571321cad8bbd75e6c98044c319e2546f
SHA5124d60f67ceb9ca447842fb9f714c39a6934fc536d13f6a7b776605f6d8d2f164baaeabb52ec07a240fb2b17b3b39413ee2fec8d6bd949a9bd411ea55820606c5f
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmpFilesize
6.9MB
MD5ace62650d5fc1808d4b617bd747d7f8d
SHA1d49ce712913e5c3486f83e0285562296dfdd26f4
SHA256b3dc61428936294ec2c956a6f9441b65fb40601562b9662e66ab6dd5d8c664f8
SHA5125703f1ec6f63bdd815db26884ad72c2cb8b54988e6d81197db60d8629c05d410c541baa8f832e463270e641b1496674b0bbd992585affd13933a2e1428eb7e9c
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmpFilesize
1.9MB
MD572914f44f7624421fa347d3633767b31
SHA17c901f587308d1bd6b9d27b7691863eaa8cef78b
SHA2566ae6352de829bb0a025aecf758977fcb3983f0b7ba2d7b3f7a2f98f2acc4fb54
SHA5120a1efdc5a911d91e33c5b3d232136b0b268f9728b5e9b97f081c574de0f58f8b0061e87573fc2c710ccc7c49092d5d885b307462ea4f62dea8d6addd6ac5d76b
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmpFilesize
135KB
MD5c6c0f53c526ded81eb2df52fb974fab2
SHA1bea135097dbc9615b5fb35306f16583c92cdbcef
SHA2568bc480deafdd4b2f78a5127072fd99cb24e1778d2f956260de9411c790cbfd58
SHA5122e3413b97bee8be3ad53e4822c27cbfbb2142b637eedad109d58de2aa230606e6caaf46a5f448becdcd71923b5dcf6abee4a54784d19c65de32bf6aa8dcabdbf
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmpFilesize
135KB
MD5b728efba0288732d269fa29e26676aed
SHA177cde5a9aaf6913fafff2d38d3fbdfd5c13f585a
SHA2562ec82bad68628b931c1ffdb20a440a74f9316366d9d5ce326768e9ead8d57a1d
SHA5129571eb6bfa051e285c58415e242fa990e0cf306a8c00648be956445442e6f2afefbd26cb94515477153b00f3d7d020d9cf04f1a97fcf8ffcd0779c3173fa8c55
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmpFilesize
136KB
MD578de6942d99a9de059cdebbc749231dc
SHA1722e89a99d155cc52d60259f95242eeb2a9eceb7
SHA256f979e8f58d7345f5388523e652de104887490b685b91f76bb18a82fe6adb629b
SHA5123bebd7bd74ca5acd0bc774db1f9c26237f21db5473fffd807b9a7c58f17ea73afe0fa260be7c207bea982460f1f1c719b3208c4155f676da3c1c0504cf17a656
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmpFilesize
2.1MB
MD5a99d5b61e42d83ebd39cba86a4f511ba
SHA11b83cdb8a46fa744d7fc24f9b7bbfbf7a14c12ff
SHA25684cf5d286b4b4fda61a40f0cc924d36ba6c32e2395faeae7db012b8d9e11b5eb
SHA51214909509b3d80387050125f1a3f6f7d89c5ffc083b3deaab4c92d0f79c5a0ea355e2419b5b12053431fb34bcf5a52194ebf326b2d326280bae8e3904b0476944
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exeFilesize
137KB
MD51acd05fcb8dcacf2616686a5b260e9a3
SHA1ba7063835ed3ccf4e6c749aa377fc58f137f147d
SHA2565ced6348fa2c88408661bb1570903e1111891649cb0eec739f48731d39d71237
SHA5126bd0c2151b91e94c8b6336ffd8cc36a83f3bcdf5e0c396b4e12b2d8b3e9a3f5be7cf9d3961f0ba44d1e4e1a1c100fdd936b3a29a276dc6cf1145a83f023cfa76
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmpFilesize
1.9MB
MD51d3071283845f2e17169c4c48daa27ef
SHA1d5d95955e3ea8031af95d1804956d5469860ece4
SHA25643f7023b4ef7b550dd322dc695b83639d5090ba851a80eab9cb193e33f53100d
SHA5126e630fe223ca4a5707012a4178b67191fd2500b519831a0a887ed1849f3533545b62993d5657cd904907f335782f811a212f13f89105d32d83dae267b2e4f4ca
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmpFilesize
10.5MB
MD5b9935981ee5dd4f7b2cb301c6a8a4bbe
SHA15d399082049c4ed3d7cfc75faa24cf90ac374245
SHA256d5fe85a03557755109b09912c7761f9969ce00c1e23aafb14af7b65b3da154b5
SHA512db8b9a49525b4fe138c80032d52d8cf143f57ffe31240532aeb28d807d16f9c9088f144fefb930a9218c5f7dcccd0d11198b35db518d0526537d91e34b28f5f6
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmpFilesize
12.7MB
MD55aa5dc43c0025665099049f8d3eacf27
SHA116ce64b89168bfef85af19c297dbe1d7384674dc
SHA256c4ba0fac3444d0acd73a0635272ea0ebbe94e497f4cca7c3b4710c5b29b980d5
SHA51239c47c847925b3a7a5c063a9ec3083d677dd803bc2ac38e8248dbe6b20bbcdb4a9ba15af3c97d802650122185a81d01e8a09d8b8307e2df98454a0e68e6f5545
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmpFilesize
19.6MB
MD53056dfadb0fdf1085b5873a3bd3b994a
SHA1dea0c39d7e1eac2af5ca8857c9d40f192f0622ac
SHA2569357c4a5994572346c480d6bbf2b58836c50796587b91c366c7c005c4f6fa364
SHA512bef9aa606d832b707f343ab26159a048d3b1631a4d175fd1f05fb7f4119f74c06dd902e8ba60406598eb3704dc7ab165c2569a114f21776835c91e2a8d02867b
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmpFilesize
15.1MB
MD583e48bb5cd8195d045eb32d444d48e47
SHA1d6f6a452a2868ad37c4c2bb06b6363d5173e2d29
SHA2565c809b3eeead577ea9199c12b1236ed23a81b7cf0052afa3a7b747df330064fb
SHA5124e5e0e27d7dbbe09e9673aab892f90c98036044c35c89e5d20dd7406cebc9b7292d99df1933f604e95bc62f6a2b53c6f40480a2fc12cddc102b9c959c4c15709
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exeFilesize
1.8MB
MD5e8e5f26cb18dec514aa125f20e6bb41c
SHA159e5e16080c2a748ae1d152e534d0b63da91dce8
SHA2561d1875df764b0c95f904fcffc447ff982cd834f2557f8739d69cc335c1018e28
SHA512fe92001669794389741adec52b9c405b4527f835f2085ed48ac0e6785344231f8370cf2a8046d5fb7fad8a9c671345152fcc864cd721232ca924b4905a1ca8c2
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmpFilesize
2.6MB
MD5acf4b7aeb7bfdf574164804b253ae891
SHA136e3665533fc82d0247743f40165621eaa512443
SHA25605185b3a6a263345a0006d0526a2854920202a39dca18ef11606e3b1d4ba5138
SHA512ce72425fe0fefc53e3a997a0af5b766b3e5a9af753a7ed3bb37ec7201fdd291fbab0115ae95ff865caf85b4332502f65b6596561ea252bb11bce0f49af93d185
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmpFilesize
4.0MB
MD5ebb3114eca1ab54b37c70df5c2f7952e
SHA1a47083b0bf906162996c7ebbe9bd9477d8cb6c10
SHA25683add78b34eb2124a9755928bed890fecc719423c86d16e92a01b5402c64fc06
SHA51244071e6edd0fa3b856637c205067ef90a42993912ef4ce2b3f7788fc0afb30209dce26b641254c80541053bd27b5afb753ad080408c7eb000849d706382c59c8
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmpFilesize
1.9MB
MD5d6573da8119b419014f5eed425bc3fd5
SHA12372affd92b1137ebd2d6f6d52a8379f5e1d5d94
SHA2561e7b633d420c77a66a7c090ef01ebd93bb824927d228ae9bca94ce41832b1fbf
SHA512dfb7c72d9f72bfb42aa87a12d46cf277ad782e0948ffc0a749b43c5dadc3f68133e93ed15be2216f580de4b497bf4627d923c196ce7bc068b63e1c12e35faf64
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exeFilesize
238KB
MD5fb78a0ae4a684bf2950869b426707c9c
SHA1bfa59596bdf088e5662d1cd2fd30dee8400938ee
SHA2569738004edab2b79d532bc3d38a53f5dbd559f2f61fb3ca79f67c21fb2ab2a67c
SHA5123fbc8685affb8231285d5daf840b993ae2ab4ff7a471d92affaebc4c33eeb865570c368c4920831c2bb0b77833292b8af230a0067cd39b52e17e2f9a7c13e439
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmpFilesize
951KB
MD5b43e4178262c563fc97f53d5146a1ffc
SHA13fff28201632a7c05ff50dc3b9cba232a8e46d80
SHA256532eb659d1f9ec7174dd5955ac7efbe7121dde0f373ea995bb552f117333a363
SHA512115d3fb5594d506da2d4d86ce4e44d24d35be6ae1f2aa8319677e958820935c9b1384d8aa1bb8d4415bf0d17931d94b782a9b6f249932668ee8a8c6d44f7a4d5
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmpFilesize
136KB
MD5584e406486131e26159b4c7f4e5b2dae
SHA14d07658e7790dfb5dcb8fabc01186c498e4021c8
SHA256b69d66f1b7b99af38d9df167977111454527b286d98d76f5a62545494afd55f3
SHA512024366bb5903303df6de388ad5bce7f3d3d845e4ee7b1d1805723c11ca740944a678e1b28f239b93d977349056e94c2783ac140bafcbd24f1dcd9e831228a52e
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmpFilesize
5.8MB
MD569f0d4cde8b128ec85e813acba4154cc
SHA154c8af323c5d2933fde79f741ccd4c8396a81635
SHA256997e62cf96b55b3b7729215c3f02756e8a9efaa5ff06aa53b017cc2e17ab54ee
SHA5127b5b51f8a5a2fbe8a59591fa657c20a5dfe14a86341754ead7c45274f0b39782b0aeb703813e165120f8449eb040f64a0749583ed7107eb1c70f6a24a6b1bd40
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmpFilesize
2.9MB
MD5541e0ec09e8eff1b9d0fc943cb2e7986
SHA1ee40e45bf0b0f3c66d588cfa7510cb2415b0b270
SHA2563de718e549bbf63f2c9166408269e3702e23556dc9cb0c86e392ae70f2d94b67
SHA512b0a04a1d7555c095cdfed41677094f6c68b11cc9a57bd46f912c7ba8bb408d6ca480347bed1c98a5424ce16bfbde2ba4593b7b3d585ad8c1dca90e716b8938b3
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmpFilesize
134KB
MD5b1e0a408f666232edb27d247d1fb12bf
SHA1d509d0e9f1bfbf7fe1dcbf2abf48a034e72e47b6
SHA25662a6ad007958dcfc81c1e6a6b0e2f5e8e96b35977ad1f8053a310a6b5131dba9
SHA512932166af3e703e2311e130a1694cf9aed8d1c6795df3000a536f45325942ebc287aad18aae520241289efecdf51be4b8eb0645b6d61972b6387483c81030f2a6
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmpFilesize
139KB
MD5dbe7384293927d57935da3b21d83024d
SHA13d73e8b500d47a6c5cf55f85b450d12060db13e2
SHA2566903e4e3f338618c0d9b9031eb83a29dec3334d67108b3bb2fc120cba97e5bf5
SHA5123fb7f5e9128a0c0bee1ac40e245b50a4faa0139d99c0f219519370ab5c468b8090e43af3b303f842288ef4a897b17b55423fb175bdeda7c302e275b642048ef0
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmpFilesize
715KB
MD5b803f8fa2898732ffbba301bd98ce236
SHA1e2085a53bb53db675a74a5797c7fabe82b045990
SHA256c5de400f12977144d65c420911e747a05e8dabc7a01032735b552a6d644e5706
SHA51223f151c390818dae9176549df815432f83aa621f8599f1e3f0e78b99521d45619edfc346a7e02a45de27406613bd813beb55d722b924bbb4b084cb085893be71
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmpFilesize
136KB
MD58bbfc5dc8b78d2571cc0c39f95aff7b5
SHA19e6f784c0eaca26de324ec77a55c48ee3f17ea9f
SHA256faa7726265e521d48d731b6f606542f17487422c747b53e074ef0933373b13ad
SHA5121b57fbd7f2d9e1ccec73cc9bda9dc2d4e66a2a05bea413c6003ddcb748c907d3d40fd187c6eb7843a8e3d91ef24c2b7879e25038a4c7e493e6a5b2f1bc5086e0
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmpFilesize
773KB
MD5fd76f824f110ef781acd174780f1ab39
SHA19e2f8f7b47b32f09ca34e44168f8bd988c7f979f
SHA256cdfd533f63353adb1d0dc11eadf6e2caeed936efd8aa1a0afd44e89cb64cd74f
SHA512e0e094e169c287633dd1540acbbed398817010f6a7c18c26a8a0638a50a4e66ca5cc898ed23818a8a24382d993418823f051f20c40f25a7c3f96080c856d0ac8
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmpFilesize
320KB
MD57d9ef9d504fefaf82a5766690da98e4d
SHA17b52b6d3bea7f8fdbe562578a6a2fcf96f53e146
SHA25665cc012ecfd6aff38615767d9570f0a5901ccf48621245dda2b4903c8d1b6856
SHA5128c7a39aa1b6727acde1ea2a9e90c0884584585d05994ae3520b0c686dd0f7120eb928e64466c8763a6a5e81355ef04bdcddb62837ee6878ec39739aecf9eddbd
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmpFilesize
198KB
MD554e2a063d3777f4366d67892c45722d1
SHA115cdfe4ec232e82a9a5dd9088847fdb71cb7067f
SHA256b2b624f301a32e3003713c68193c2c0811f43531fe28d75188494f2c04d4d1cc
SHA5123bdcbe6e836879acb4544f476e354e00c7475de0019fbeae99f6f68e46f81734c85ed169cb625861c5aed9b69977068216668ba307cfa4026f7d8355295983bf
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmpFilesize
1.3MB
MD5ae77a754e33594453d72af3b02467c01
SHA1f733061185123f5f215040931358fe02fe42682a
SHA2562b9271cab6497d3f83238eaee5b497786ff2ef89422499417472c4d943ba6eea
SHA51212523dd705ebb257e236a10fcf81cd1267b69554dc5dd41de0876da2d8b0a85f42e614beb31024bfb67f9421359c0a0c28b1997ab97926d70bf48530f328eb9b
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmpFilesize
420KB
MD5e8d71abbee6e8b95a3bdd7b37e0a82d8
SHA198aca35bdcfa5491fd1e3ad161f6d8735bbf28fb
SHA256b4210385d3b18fbaa88058c912e5c589eed8b16964eb6336097a5d66b4e2d5ce
SHA5129f6ac5214f630bb8a5bad506f9146ea9ebcba0b80da88e9a0094206d9ec9f045e21747a4aa49928641ce71db4467339facf629a855bd8facefe9670689be2495
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmpFilesize
769KB
MD5713df547ee7bfd6f9b18095c25f6ff86
SHA13e3828ec2d8684f8c241d187773939084822d944
SHA256545ee598237185188072eca9e0a2ce6cd8ddaee2e07721eda1cab2dae35a2191
SHA5122d277f72daa085a6b4fd829479599acca7b31ddec18d98e964062829b9bf6af95a3dc1347ad541c5f8107878f9acbcb7b7161c6b3dc6c75656af473cd8215eaa
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmpFilesize
134KB
MD522cf974e35bfe16a7af0614b6dfb6980
SHA125380e87c1c2cb9c99b02d7856378d74301b1839
SHA256350ff1734c5ff5f754859729fabeb1be2d9fec01f695eca8daedd17a63411bd7
SHA5120a74c5b3e5a3a841f587db500d9d5ff96c6af2ad623365c4b5c5cac9f1cbd7c4b763dca243583f565c7b67de7e848fddec0f19cff027ac58266ed05fb8319b76
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmpFilesize
12.1MB
MD5ad6c8faef18f4e94b891cbed88c98696
SHA1d5688c0c3e7c4ca06a9e775603a502fcc8706b83
SHA256a4ea01b0541d90ae2e8f62bb894a01043618486c466b24fc64201cdf5d98a12d
SHA512420619b0866ebfc72a8dc7bac82fe123511444cd6a8d7276f73650d5a1e00312a3250c74063ada5ec85795283a1a59731d10b4dbc713aa75d7e8bce8e2e844ae
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmpFilesize
1.9MB
MD520d043d948ab210f70af0289d403114e
SHA1e57f5d4ca3dee12ea1f02c6c9b3456356e498115
SHA2566fce6d031d486b764dec000456d3deb62cc4b2663635e447d223b3b76875a45e
SHA5126fc65b80638ade0857ad745b03a791fce3425ab030d8c2ca822770a19cd9a08c5811029f8f4e6897be9c592b7cf04662c1948351fcb2a67ae79274be9b836ae0
-
C:\Program Files\7-Zip\7-zip.chm.tmpFilesize
140KB
MD517be80ada828c6f8b07fd4fef787c3c2
SHA1114e7f3133e66e8618a88c6e1c66988f81d45590
SHA256ae2210e79b1442ea65e4c95e664be47570c89ac3d4020c04077f496db24821be
SHA512cfeef2a82dc2f16081213ead6fd6ac9299c3f48cf5d4233f5ccd65078b11314e4cb437b1edfac7895b2266fc655dee9d8f61b5115096131eff58180ba96a8111
-
C:\Program Files\7-Zip\7z.dll.tmpFilesize
136KB
MD5aa69ebf61ce79b485bad31de2a037ac8
SHA1a5f3adbf6f0c6e4bfa63fcff4c62f56400519f26
SHA256fbd9659a01730badf6445bfa7b63648d6a734ddadd1ca938c030910713dcd485
SHA5124bd2176628b4c09982e632fcc9d7cf14e899ec5b255c1045fcc98390f6d0ef2f312949300f1f5fa4606323b098d019334cfa26ec2ae24d364fc4a80ab8df6a71
-
C:\Program Files\7-Zip\7z.dll.tmpFilesize
1.9MB
MD5816bd47e57d59a6776028891fa316147
SHA13fef0cd7c2ce74502763233e5abf54f20292c0f8
SHA256a1d3c4bb90b0b8fb86427aa1148dcfb4fa0142223a076f8f53e9c5ba758b425b
SHA512f7f8883b1c800ea6b82e55aa4a495a7d80a128daca7b4a277eeed86b7416a444f1305d46d78770d635ba2b108ca787aec07812e3cc84bfc669b4b184b5309fc0
-
\Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exeFilesize
134KB
MD54b991cdd4f2b581657fb7aca4751f37a
SHA1e6cc65887a7d0b6f17bac66646c0cfa8daffa9a4
SHA256a54f4d284b2d58265bc783db8f8767f379a2069d259e1df55d12d3119a95559e
SHA512ef6cba1e237fb53799110280304e7dafa40ec9bafa80df9351d45f1654543c25eecde02591db2d3ababb2d8a92b5422f959a59186fa026d0c804a9591e35c58f
-
\Windows\SysWOW64\Zombie.exeFilesize
132KB
MD551bf70247d59b097fe227b42f4510a74
SHA1e6f5c06d6ba50845f05d28de926f7e7398e3671b
SHA25629b5a34e0d31d27589996ebd5fd41984bfadad9db7b0c70f4e91c2422185b454
SHA512838e282c57246ab5027ebd63ea5ac88e9c745c244aa1510f30b4e8f587243f0e6bef315a25de9d4d83b72d6a944624bbbc9a39bf3eae5db109f505d9e16cc5b3
-
memory/1936-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1936-11-0x0000000000320000-0x000000000032B000-memory.dmpFilesize
44KB
-
memory/1936-19-0x0000000000320000-0x000000000032B000-memory.dmpFilesize
44KB
-
memory/1936-34-0x0000000000320000-0x000000000032B000-memory.dmpFilesize
44KB
-
memory/1936-1170-0x0000000000320000-0x000000000032B000-memory.dmpFilesize
44KB
-
memory/1996-18-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB