Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 04:06

General

  • Target

    cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe

  • Size

    267KB

  • MD5

    040009fd5a5b8022863ca98628e001d2

  • SHA1

    10896fd34cd6e4101df9f8eb50f813b340406c5f

  • SHA256

    cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c

  • SHA512

    83e4f5354e600d1fbde6be7b345ffa942fe5d1ad44e7eafcffffbc4289cf1ac377f77c9e2d6ea35a2b351eaaffdd87d73fcfee0c13f37710b1edc845ed7de422

  • SSDEEP

    6144:KmCAIuZAIuDMVtM/XSYmCAIuZAIuDMVtM/XSo:IAIuZAIuOYSKAIuZAIuOYSo

Score
9/10

Malware Config

Signatures

  • Renames multiple (3669) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • UPX dump on OEP (original entry point) 53 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 57 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe
    "C:\Users\Admin\AppData\Local\Temp\cca32c64b77e1e1b6c36484fd5c4928f42500c6d865f7f29ddda5da1a032287c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exe
      "_Node.js command prompt.lnk.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1996
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.exe.tmp
    Filesize

    267KB

    MD5

    2f7bcde1493e6b14314107dbb19deadc

    SHA1

    26204c7ff15a1bf2e822c3a9d05db000092de3d3

    SHA256

    51a443d87b29c7590a6a7439bbd2cf617b3a4d55504dddf650f6eba6ee0d6a43

    SHA512

    fe934480cd107fb5940a5ef7944e5eecd68bdebd1bdf92c2d5067214c604d4bf4b49428372222718f95bbc19aff7c27e868075eac39fb77657100af445092921

  • C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp
    Filesize

    135KB

    MD5

    256d01860c9f9678b0cf1cf6af43d9eb

    SHA1

    54e2c023799eecdee6f10af98dd69162582db8a8

    SHA256

    3c678cb3436e08841bd3975296d77cec2def95a1ac1640a0ec48273368dee109

    SHA512

    f9afa11d2b4d09be31e48bfb54d6377dcd85c44e54fde243ee1ac3b4a5f056592e0eacc889af19b8102e445f5c3ed2d9e9d959e0e942280feaf894d158453fd6

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
    Filesize

    22.9MB

    MD5

    b84efcaf0758d01ea8dc6bc8e9848daa

    SHA1

    2453b66674f67f18941454d4f7ea12e7318b7cf6

    SHA256

    7a315ac101fdb5258c233f2d5431e8a76761e32b3d97d8fe81b218ded65adb26

    SHA512

    03b8bea9e3fded8a48042ad3d97686c1a88b59de506033eec00c851e76b2337408e0eef651dbbdfc252fcedd1a02cf353da7de94770ce01ce93bb9e01fcdeee2

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
    Filesize

    3.0MB

    MD5

    a9e967ea982fe23e66bf2893a5e48e9f

    SHA1

    26c6370e5a7b005e12fa802eea9732f49e4acef9

    SHA256

    34a16aa7be91671b56d150dcb37ec73f5eff46c0ab026180311cde994edf5096

    SHA512

    5bfef8a4378320e7482d22e78473687a31fc5236bedc8cb5c02c87b63c7c0396f2564dc6141d3aa61f4bb4881b6f005a1e1b585e24fb25d1b34726545466397e

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
    Filesize

    1.5MB

    MD5

    a94b73ae2988974d2450dddd0cbc305d

    SHA1

    95f5ac8311912bcbb38a01f048a1f13898688dad

    SHA256

    2d6bb8f036843296528f411620f99c3bbc5ec1631399a0b56bb3d6c0f5f64f87

    SHA512

    15ed2d4fd8336e143a5bbc8e37e2ecdf9bc99a04c9d3b0c9429df3aa2857ec3bf829e48a1abeaaa632af0a126aa641b0b22ccf1458f2673dcea387160f7bc046

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
    Filesize

    280KB

    MD5

    d28ee14cb1a9e5496f85144ebfc4c025

    SHA1

    13095eda30d52979af5df6931f8a28235f4f1c77

    SHA256

    43a135d4d6a8af1e6105b18b579f42cd0e792163e7a63ccca7b87efa30b85605

    SHA512

    cafeb608c8a113c0e194294de85b7d9d98479e095b1f4ee28090421e8d3aea933be2ad38323334816642f2e07b4b9913791e7a77fdc92ab52f8a70a70d9ff4b2

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
    Filesize

    5.7MB

    MD5

    ef73d21ab0a7ad13fc8e7c7b821f2cc2

    SHA1

    b489eece11cc9304d9047cb8c5d942020cf0af46

    SHA256

    e50e6f280c202df4ccb30d219065c6e136a3ce1c12f9578e6fedba76035e5f52

    SHA512

    be0f48e12fe6fd519144c87969710ca709da69d96136b7cee88cf9c17b99b5f5bca2aa375f677786161c50a8ee9d6a85cf07b9b0a21a319cdcad0314ce33fc9f

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
    Filesize

    1.2MB

    MD5

    1aed59273a34ab7119837c0d565902b9

    SHA1

    872908ffbb9a63d7e2361c3b68c19966d26b9921

    SHA256

    5517765b08b9301f5ad116b9787d6772c0efe4d9f4c8e8d0d04bcd4949961ca9

    SHA512

    34f1f4c416353f30e859c16f736478d86b4d0369632f982db3ee9acf62e682cdc172d7171b08c4d742c5589028e9b0d8624695e4c3b1beea99a2f428d3077bc9

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
    Filesize

    136KB

    MD5

    0a0cb7043da59f8d525e403bdcacc9bf

    SHA1

    21426bbad09715eea4edca2b95d6f6154307baf9

    SHA256

    af079a344468e6a8522e18156e654bcaca73cec5309c37bf4910e78bad045ac7

    SHA512

    94b6fc6e7d6c94d2a75c29b8bb266f63d2ca62fcb86d6ddf02f72d45c6438271f7e64d491107060c5911689a58b6ed23108dc48356e60e275f0af4a950aedfa9

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
    Filesize

    832KB

    MD5

    d945e25d59f0f46a158a33503f3ec498

    SHA1

    e5f5ba54053ead2f9a8480e4eb2bd6a2e01fc918

    SHA256

    b10a9cd1cf13c8da5e89bcf15dd79044b7e645b686a3506d28c0d193e6664740

    SHA512

    1ce9aafe322340ad1ca94495308a6b10e790fc5222b34d8e7a3d530aad8f481e32529c771c137d34b1022697296f1ede17f3f7d2bc92e3ca8bba89db3c9631eb

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
    Filesize

    1.9MB

    MD5

    881918c6d94ebdc138894f48de3a9f5c

    SHA1

    f953c4c48428d5cb673a2864b83f184383194ec3

    SHA256

    e61baf6418dcc877d77dee64ab9cce8d890f34d33068b18cef24200a6b6aad13

    SHA512

    da2df4685ec5337dc01c7dc1a5437fdb49d7abe2b31a276b383f40d12a071f716b865a1f38455ff9c79a80806b7c050a4bb919ab790be268244d619fd16f3a78

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp
    Filesize

    135KB

    MD5

    9f31be5443e3ea85bce979744793d519

    SHA1

    6100e8dd5acca0376b7f346713b203cd6e175f0f

    SHA256

    06db110e494cf84cbb4285767b4e051f9d153b056c228afd04e79ebaca1912e8

    SHA512

    e0b77e6d86a7a8ccf7a314353c1005e7ee4c9b5fdfe7287abba6da84979d18fb249055089c5d2ee937520a45b6293adcc21971b9b7ca6d8668b22a41f25bea39

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
    Filesize

    137KB

    MD5

    2f288e1871287520fe2cf8ff2642f484

    SHA1

    a7208b626ef2e0610669b1046c4651b8f7687ded

    SHA256

    6f13b92b5b9fe8ad0d1a3f90024b713948df2dceac7fc5553b677e6f787f3717

    SHA512

    0a3fb70fd3099d19444a9295af4f190c6f4087ffa59de6fe072feae6aff0791defe8a5f9447df9f11bc136214443fd242eef771be8bac7314f1dc82f046e9d81

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp
    Filesize

    137KB

    MD5

    0c595e925ad7058173a0b18f02b81274

    SHA1

    ea5c5f34796b68c93068eb8c11817e9f3fd0d2b5

    SHA256

    5590a5421be42f775e937ef4a0ee3e542825227e68d8ab14f2c5b89f9f5aa519

    SHA512

    d13fff2892ca07c1d7e907072264f3ab0e687907fbcc3fb050b7ab15e80d2579e08066ee5913389f46687b21d071f267a7e1e1d4d4fd10dcdc2ad4f09d775216

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
    Filesize

    136KB

    MD5

    65bd34e733844a7a8e11e2936dfc86d1

    SHA1

    aabfa562045331347fb38ea130de9ebdb6f82278

    SHA256

    6a3f70221f7763b57c9469fe1495d8a571321cad8bbd75e6c98044c319e2546f

    SHA512

    4d60f67ceb9ca447842fb9f714c39a6934fc536d13f6a7b776605f6d8d2f164baaeabb52ec07a240fb2b17b3b39413ee2fec8d6bd949a9bd411ea55820606c5f

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
    Filesize

    6.9MB

    MD5

    ace62650d5fc1808d4b617bd747d7f8d

    SHA1

    d49ce712913e5c3486f83e0285562296dfdd26f4

    SHA256

    b3dc61428936294ec2c956a6f9441b65fb40601562b9662e66ab6dd5d8c664f8

    SHA512

    5703f1ec6f63bdd815db26884ad72c2cb8b54988e6d81197db60d8629c05d410c541baa8f832e463270e641b1496674b0bbd992585affd13933a2e1428eb7e9c

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
    Filesize

    1.9MB

    MD5

    72914f44f7624421fa347d3633767b31

    SHA1

    7c901f587308d1bd6b9d27b7691863eaa8cef78b

    SHA256

    6ae6352de829bb0a025aecf758977fcb3983f0b7ba2d7b3f7a2f98f2acc4fb54

    SHA512

    0a1efdc5a911d91e33c5b3d232136b0b268f9728b5e9b97f081c574de0f58f8b0061e87573fc2c710ccc7c49092d5d885b307462ea4f62dea8d6addd6ac5d76b

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp
    Filesize

    135KB

    MD5

    c6c0f53c526ded81eb2df52fb974fab2

    SHA1

    bea135097dbc9615b5fb35306f16583c92cdbcef

    SHA256

    8bc480deafdd4b2f78a5127072fd99cb24e1778d2f956260de9411c790cbfd58

    SHA512

    2e3413b97bee8be3ad53e4822c27cbfbb2142b637eedad109d58de2aa230606e6caaf46a5f448becdcd71923b5dcf6abee4a54784d19c65de32bf6aa8dcabdbf

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
    Filesize

    135KB

    MD5

    b728efba0288732d269fa29e26676aed

    SHA1

    77cde5a9aaf6913fafff2d38d3fbdfd5c13f585a

    SHA256

    2ec82bad68628b931c1ffdb20a440a74f9316366d9d5ce326768e9ead8d57a1d

    SHA512

    9571eb6bfa051e285c58415e242fa990e0cf306a8c00648be956445442e6f2afefbd26cb94515477153b00f3d7d020d9cf04f1a97fcf8ffcd0779c3173fa8c55

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
    Filesize

    136KB

    MD5

    78de6942d99a9de059cdebbc749231dc

    SHA1

    722e89a99d155cc52d60259f95242eeb2a9eceb7

    SHA256

    f979e8f58d7345f5388523e652de104887490b685b91f76bb18a82fe6adb629b

    SHA512

    3bebd7bd74ca5acd0bc774db1f9c26237f21db5473fffd807b9a7c58f17ea73afe0fa260be7c207bea982460f1f1c719b3208c4155f676da3c1c0504cf17a656

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
    Filesize

    2.1MB

    MD5

    a99d5b61e42d83ebd39cba86a4f511ba

    SHA1

    1b83cdb8a46fa744d7fc24f9b7bbfbf7a14c12ff

    SHA256

    84cf5d286b4b4fda61a40f0cc924d36ba6c32e2395faeae7db012b8d9e11b5eb

    SHA512

    14909509b3d80387050125f1a3f6f7d89c5ffc083b3deaab4c92d0f79c5a0ea355e2419b5b12053431fb34bcf5a52194ebf326b2d326280bae8e3904b0476944

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
    Filesize

    137KB

    MD5

    1acd05fcb8dcacf2616686a5b260e9a3

    SHA1

    ba7063835ed3ccf4e6c749aa377fc58f137f147d

    SHA256

    5ced6348fa2c88408661bb1570903e1111891649cb0eec739f48731d39d71237

    SHA512

    6bd0c2151b91e94c8b6336ffd8cc36a83f3bcdf5e0c396b4e12b2d8b3e9a3f5be7cf9d3961f0ba44d1e4e1a1c100fdd936b3a29a276dc6cf1145a83f023cfa76

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
    Filesize

    1.9MB

    MD5

    1d3071283845f2e17169c4c48daa27ef

    SHA1

    d5d95955e3ea8031af95d1804956d5469860ece4

    SHA256

    43f7023b4ef7b550dd322dc695b83639d5090ba851a80eab9cb193e33f53100d

    SHA512

    6e630fe223ca4a5707012a4178b67191fd2500b519831a0a887ed1849f3533545b62993d5657cd904907f335782f811a212f13f89105d32d83dae267b2e4f4ca

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
    Filesize

    10.5MB

    MD5

    b9935981ee5dd4f7b2cb301c6a8a4bbe

    SHA1

    5d399082049c4ed3d7cfc75faa24cf90ac374245

    SHA256

    d5fe85a03557755109b09912c7761f9969ce00c1e23aafb14af7b65b3da154b5

    SHA512

    db8b9a49525b4fe138c80032d52d8cf143f57ffe31240532aeb28d807d16f9c9088f144fefb930a9218c5f7dcccd0d11198b35db518d0526537d91e34b28f5f6

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
    Filesize

    12.7MB

    MD5

    5aa5dc43c0025665099049f8d3eacf27

    SHA1

    16ce64b89168bfef85af19c297dbe1d7384674dc

    SHA256

    c4ba0fac3444d0acd73a0635272ea0ebbe94e497f4cca7c3b4710c5b29b980d5

    SHA512

    39c47c847925b3a7a5c063a9ec3083d677dd803bc2ac38e8248dbe6b20bbcdb4a9ba15af3c97d802650122185a81d01e8a09d8b8307e2df98454a0e68e6f5545

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
    Filesize

    19.6MB

    MD5

    3056dfadb0fdf1085b5873a3bd3b994a

    SHA1

    dea0c39d7e1eac2af5ca8857c9d40f192f0622ac

    SHA256

    9357c4a5994572346c480d6bbf2b58836c50796587b91c366c7c005c4f6fa364

    SHA512

    bef9aa606d832b707f343ab26159a048d3b1631a4d175fd1f05fb7f4119f74c06dd902e8ba60406598eb3704dc7ab165c2569a114f21776835c91e2a8d02867b

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
    Filesize

    15.1MB

    MD5

    83e48bb5cd8195d045eb32d444d48e47

    SHA1

    d6f6a452a2868ad37c4c2bb06b6363d5173e2d29

    SHA256

    5c809b3eeead577ea9199c12b1236ed23a81b7cf0052afa3a7b747df330064fb

    SHA512

    4e5e0e27d7dbbe09e9673aab892f90c98036044c35c89e5d20dd7406cebc9b7292d99df1933f604e95bc62f6a2b53c6f40480a2fc12cddc102b9c959c4c15709

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe
    Filesize

    1.8MB

    MD5

    e8e5f26cb18dec514aa125f20e6bb41c

    SHA1

    59e5e16080c2a748ae1d152e534d0b63da91dce8

    SHA256

    1d1875df764b0c95f904fcffc447ff982cd834f2557f8739d69cc335c1018e28

    SHA512

    fe92001669794389741adec52b9c405b4527f835f2085ed48ac0e6785344231f8370cf2a8046d5fb7fad8a9c671345152fcc864cd721232ca924b4905a1ca8c2

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
    Filesize

    2.6MB

    MD5

    acf4b7aeb7bfdf574164804b253ae891

    SHA1

    36e3665533fc82d0247743f40165621eaa512443

    SHA256

    05185b3a6a263345a0006d0526a2854920202a39dca18ef11606e3b1d4ba5138

    SHA512

    ce72425fe0fefc53e3a997a0af5b766b3e5a9af753a7ed3bb37ec7201fdd291fbab0115ae95ff865caf85b4332502f65b6596561ea252bb11bce0f49af93d185

  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
    Filesize

    4.0MB

    MD5

    ebb3114eca1ab54b37c70df5c2f7952e

    SHA1

    a47083b0bf906162996c7ebbe9bd9477d8cb6c10

    SHA256

    83add78b34eb2124a9755928bed890fecc719423c86d16e92a01b5402c64fc06

    SHA512

    44071e6edd0fa3b856637c205067ef90a42993912ef4ce2b3f7788fc0afb30209dce26b641254c80541053bd27b5afb753ad080408c7eb000849d706382c59c8

  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
    Filesize

    1.9MB

    MD5

    d6573da8119b419014f5eed425bc3fd5

    SHA1

    2372affd92b1137ebd2d6f6d52a8379f5e1d5d94

    SHA256

    1e7b633d420c77a66a7c090ef01ebd93bb824927d228ae9bca94ce41832b1fbf

    SHA512

    dfb7c72d9f72bfb42aa87a12d46cf277ad782e0948ffc0a749b43c5dadc3f68133e93ed15be2216f580de4b497bf4627d923c196ce7bc068b63e1c12e35faf64

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
    Filesize

    238KB

    MD5

    fb78a0ae4a684bf2950869b426707c9c

    SHA1

    bfa59596bdf088e5662d1cd2fd30dee8400938ee

    SHA256

    9738004edab2b79d532bc3d38a53f5dbd559f2f61fb3ca79f67c21fb2ab2a67c

    SHA512

    3fbc8685affb8231285d5daf840b993ae2ab4ff7a471d92affaebc4c33eeb865570c368c4920831c2bb0b77833292b8af230a0067cd39b52e17e2f9a7c13e439

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
    Filesize

    951KB

    MD5

    b43e4178262c563fc97f53d5146a1ffc

    SHA1

    3fff28201632a7c05ff50dc3b9cba232a8e46d80

    SHA256

    532eb659d1f9ec7174dd5955ac7efbe7121dde0f373ea995bb552f117333a363

    SHA512

    115d3fb5594d506da2d4d86ce4e44d24d35be6ae1f2aa8319677e958820935c9b1384d8aa1bb8d4415bf0d17931d94b782a9b6f249932668ee8a8c6d44f7a4d5

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp
    Filesize

    136KB

    MD5

    584e406486131e26159b4c7f4e5b2dae

    SHA1

    4d07658e7790dfb5dcb8fabc01186c498e4021c8

    SHA256

    b69d66f1b7b99af38d9df167977111454527b286d98d76f5a62545494afd55f3

    SHA512

    024366bb5903303df6de388ad5bce7f3d3d845e4ee7b1d1805723c11ca740944a678e1b28f239b93d977349056e94c2783ac140bafcbd24f1dcd9e831228a52e

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
    Filesize

    5.8MB

    MD5

    69f0d4cde8b128ec85e813acba4154cc

    SHA1

    54c8af323c5d2933fde79f741ccd4c8396a81635

    SHA256

    997e62cf96b55b3b7729215c3f02756e8a9efaa5ff06aa53b017cc2e17ab54ee

    SHA512

    7b5b51f8a5a2fbe8a59591fa657c20a5dfe14a86341754ead7c45274f0b39782b0aeb703813e165120f8449eb040f64a0749583ed7107eb1c70f6a24a6b1bd40

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
    Filesize

    2.9MB

    MD5

    541e0ec09e8eff1b9d0fc943cb2e7986

    SHA1

    ee40e45bf0b0f3c66d588cfa7510cb2415b0b270

    SHA256

    3de718e549bbf63f2c9166408269e3702e23556dc9cb0c86e392ae70f2d94b67

    SHA512

    b0a04a1d7555c095cdfed41677094f6c68b11cc9a57bd46f912c7ba8bb408d6ca480347bed1c98a5424ce16bfbde2ba4593b7b3d585ad8c1dca90e716b8938b3

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp
    Filesize

    134KB

    MD5

    b1e0a408f666232edb27d247d1fb12bf

    SHA1

    d509d0e9f1bfbf7fe1dcbf2abf48a034e72e47b6

    SHA256

    62a6ad007958dcfc81c1e6a6b0e2f5e8e96b35977ad1f8053a310a6b5131dba9

    SHA512

    932166af3e703e2311e130a1694cf9aed8d1c6795df3000a536f45325942ebc287aad18aae520241289efecdf51be4b8eb0645b6d61972b6387483c81030f2a6

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
    Filesize

    139KB

    MD5

    dbe7384293927d57935da3b21d83024d

    SHA1

    3d73e8b500d47a6c5cf55f85b450d12060db13e2

    SHA256

    6903e4e3f338618c0d9b9031eb83a29dec3334d67108b3bb2fc120cba97e5bf5

    SHA512

    3fb7f5e9128a0c0bee1ac40e245b50a4faa0139d99c0f219519370ab5c468b8090e43af3b303f842288ef4a897b17b55423fb175bdeda7c302e275b642048ef0

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
    Filesize

    715KB

    MD5

    b803f8fa2898732ffbba301bd98ce236

    SHA1

    e2085a53bb53db675a74a5797c7fabe82b045990

    SHA256

    c5de400f12977144d65c420911e747a05e8dabc7a01032735b552a6d644e5706

    SHA512

    23f151c390818dae9176549df815432f83aa621f8599f1e3f0e78b99521d45619edfc346a7e02a45de27406613bd813beb55d722b924bbb4b084cb085893be71

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
    Filesize

    136KB

    MD5

    8bbfc5dc8b78d2571cc0c39f95aff7b5

    SHA1

    9e6f784c0eaca26de324ec77a55c48ee3f17ea9f

    SHA256

    faa7726265e521d48d731b6f606542f17487422c747b53e074ef0933373b13ad

    SHA512

    1b57fbd7f2d9e1ccec73cc9bda9dc2d4e66a2a05bea413c6003ddcb748c907d3d40fd187c6eb7843a8e3d91ef24c2b7879e25038a4c7e493e6a5b2f1bc5086e0

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
    Filesize

    773KB

    MD5

    fd76f824f110ef781acd174780f1ab39

    SHA1

    9e2f8f7b47b32f09ca34e44168f8bd988c7f979f

    SHA256

    cdfd533f63353adb1d0dc11eadf6e2caeed936efd8aa1a0afd44e89cb64cd74f

    SHA512

    e0e094e169c287633dd1540acbbed398817010f6a7c18c26a8a0638a50a4e66ca5cc898ed23818a8a24382d993418823f051f20c40f25a7c3f96080c856d0ac8

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
    Filesize

    320KB

    MD5

    7d9ef9d504fefaf82a5766690da98e4d

    SHA1

    7b52b6d3bea7f8fdbe562578a6a2fcf96f53e146

    SHA256

    65cc012ecfd6aff38615767d9570f0a5901ccf48621245dda2b4903c8d1b6856

    SHA512

    8c7a39aa1b6727acde1ea2a9e90c0884584585d05994ae3520b0c686dd0f7120eb928e64466c8763a6a5e81355ef04bdcddb62837ee6878ec39739aecf9eddbd

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
    Filesize

    198KB

    MD5

    54e2a063d3777f4366d67892c45722d1

    SHA1

    15cdfe4ec232e82a9a5dd9088847fdb71cb7067f

    SHA256

    b2b624f301a32e3003713c68193c2c0811f43531fe28d75188494f2c04d4d1cc

    SHA512

    3bdcbe6e836879acb4544f476e354e00c7475de0019fbeae99f6f68e46f81734c85ed169cb625861c5aed9b69977068216668ba307cfa4026f7d8355295983bf

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
    Filesize

    1.3MB

    MD5

    ae77a754e33594453d72af3b02467c01

    SHA1

    f733061185123f5f215040931358fe02fe42682a

    SHA256

    2b9271cab6497d3f83238eaee5b497786ff2ef89422499417472c4d943ba6eea

    SHA512

    12523dd705ebb257e236a10fcf81cd1267b69554dc5dd41de0876da2d8b0a85f42e614beb31024bfb67f9421359c0a0c28b1997ab97926d70bf48530f328eb9b

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
    Filesize

    420KB

    MD5

    e8d71abbee6e8b95a3bdd7b37e0a82d8

    SHA1

    98aca35bdcfa5491fd1e3ad161f6d8735bbf28fb

    SHA256

    b4210385d3b18fbaa88058c912e5c589eed8b16964eb6336097a5d66b4e2d5ce

    SHA512

    9f6ac5214f630bb8a5bad506f9146ea9ebcba0b80da88e9a0094206d9ec9f045e21747a4aa49928641ce71db4467339facf629a855bd8facefe9670689be2495

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
    Filesize

    769KB

    MD5

    713df547ee7bfd6f9b18095c25f6ff86

    SHA1

    3e3828ec2d8684f8c241d187773939084822d944

    SHA256

    545ee598237185188072eca9e0a2ce6cd8ddaee2e07721eda1cab2dae35a2191

    SHA512

    2d277f72daa085a6b4fd829479599acca7b31ddec18d98e964062829b9bf6af95a3dc1347ad541c5f8107878f9acbcb7b7161c6b3dc6c75656af473cd8215eaa

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp
    Filesize

    134KB

    MD5

    22cf974e35bfe16a7af0614b6dfb6980

    SHA1

    25380e87c1c2cb9c99b02d7856378d74301b1839

    SHA256

    350ff1734c5ff5f754859729fabeb1be2d9fec01f695eca8daedd17a63411bd7

    SHA512

    0a74c5b3e5a3a841f587db500d9d5ff96c6af2ad623365c4b5c5cac9f1cbd7c4b763dca243583f565c7b67de7e848fddec0f19cff027ac58266ed05fb8319b76

  • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp
    Filesize

    12.1MB

    MD5

    ad6c8faef18f4e94b891cbed88c98696

    SHA1

    d5688c0c3e7c4ca06a9e775603a502fcc8706b83

    SHA256

    a4ea01b0541d90ae2e8f62bb894a01043618486c466b24fc64201cdf5d98a12d

    SHA512

    420619b0866ebfc72a8dc7bac82fe123511444cd6a8d7276f73650d5a1e00312a3250c74063ada5ec85795283a1a59731d10b4dbc713aa75d7e8bce8e2e844ae

  • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp
    Filesize

    1.9MB

    MD5

    20d043d948ab210f70af0289d403114e

    SHA1

    e57f5d4ca3dee12ea1f02c6c9b3456356e498115

    SHA256

    6fce6d031d486b764dec000456d3deb62cc4b2663635e447d223b3b76875a45e

    SHA512

    6fc65b80638ade0857ad745b03a791fce3425ab030d8c2ca822770a19cd9a08c5811029f8f4e6897be9c592b7cf04662c1948351fcb2a67ae79274be9b836ae0

  • C:\Program Files\7-Zip\7-zip.chm.tmp
    Filesize

    140KB

    MD5

    17be80ada828c6f8b07fd4fef787c3c2

    SHA1

    114e7f3133e66e8618a88c6e1c66988f81d45590

    SHA256

    ae2210e79b1442ea65e4c95e664be47570c89ac3d4020c04077f496db24821be

    SHA512

    cfeef2a82dc2f16081213ead6fd6ac9299c3f48cf5d4233f5ccd65078b11314e4cb437b1edfac7895b2266fc655dee9d8f61b5115096131eff58180ba96a8111

  • C:\Program Files\7-Zip\7z.dll.tmp
    Filesize

    136KB

    MD5

    aa69ebf61ce79b485bad31de2a037ac8

    SHA1

    a5f3adbf6f0c6e4bfa63fcff4c62f56400519f26

    SHA256

    fbd9659a01730badf6445bfa7b63648d6a734ddadd1ca938c030910713dcd485

    SHA512

    4bd2176628b4c09982e632fcc9d7cf14e899ec5b255c1045fcc98390f6d0ef2f312949300f1f5fa4606323b098d019334cfa26ec2ae24d364fc4a80ab8df6a71

  • C:\Program Files\7-Zip\7z.dll.tmp
    Filesize

    1.9MB

    MD5

    816bd47e57d59a6776028891fa316147

    SHA1

    3fef0cd7c2ce74502763233e5abf54f20292c0f8

    SHA256

    a1d3c4bb90b0b8fb86427aa1148dcfb4fa0142223a076f8f53e9c5ba758b425b

    SHA512

    f7f8883b1c800ea6b82e55aa4a495a7d80a128daca7b4a277eeed86b7416a444f1305d46d78770d635ba2b108ca787aec07812e3cc84bfc669b4b184b5309fc0

  • \Users\Admin\AppData\Local\Temp\_Node.js command prompt.lnk.exe
    Filesize

    134KB

    MD5

    4b991cdd4f2b581657fb7aca4751f37a

    SHA1

    e6cc65887a7d0b6f17bac66646c0cfa8daffa9a4

    SHA256

    a54f4d284b2d58265bc783db8f8767f379a2069d259e1df55d12d3119a95559e

    SHA512

    ef6cba1e237fb53799110280304e7dafa40ec9bafa80df9351d45f1654543c25eecde02591db2d3ababb2d8a92b5422f959a59186fa026d0c804a9591e35c58f

  • \Windows\SysWOW64\Zombie.exe
    Filesize

    132KB

    MD5

    51bf70247d59b097fe227b42f4510a74

    SHA1

    e6f5c06d6ba50845f05d28de926f7e7398e3671b

    SHA256

    29b5a34e0d31d27589996ebd5fd41984bfadad9db7b0c70f4e91c2422185b454

    SHA512

    838e282c57246ab5027ebd63ea5ac88e9c745c244aa1510f30b4e8f587243f0e6bef315a25de9d4d83b72d6a944624bbbc9a39bf3eae5db109f505d9e16cc5b3

  • memory/1936-0-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

  • memory/1936-11-0x0000000000320000-0x000000000032B000-memory.dmp
    Filesize

    44KB

  • memory/1936-19-0x0000000000320000-0x000000000032B000-memory.dmp
    Filesize

    44KB

  • memory/1936-34-0x0000000000320000-0x000000000032B000-memory.dmp
    Filesize

    44KB

  • memory/1936-1170-0x0000000000320000-0x000000000032B000-memory.dmp
    Filesize

    44KB

  • memory/1996-18-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB