Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 03:26

General

  • Target

    952cf734910d48fb7f30e0e211c09850f8561ee3688ad69f30c4d8c7b138e01cN.exe

  • Size

    118KB

  • MD5

    c4e84ba13344c5cb763a4e2c34391660

  • SHA1

    b0557d76eee1b72c3a79a50883d8a8ed48ea5dea

  • SHA256

    952cf734910d48fb7f30e0e211c09850f8561ee3688ad69f30c4d8c7b138e01c

  • SHA512

    1ff1a09c65abb5a1268f8fc389d660d29a8ec8c6b289432715100af8324c348147ede6473f8bf9f4263f82d208995a3452c119a77e8e37e774f3ad2101beed36

  • SSDEEP

    1536:CTW7JJ7TTQoQmoaTW7JJ7TTQoQmo1YSiHYSiV:hoRRoRdYvHYvV

Malware Config

Signatures

  • Renames multiple (339) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\952cf734910d48fb7f30e0e211c09850f8561ee3688ad69f30c4d8c7b138e01cN.exe
    "C:\Users\Admin\AppData\Local\Temp\952cf734910d48fb7f30e0e211c09850f8561ee3688ad69f30c4d8c7b138e01cN.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2844
    • C:\Users\Admin\AppData\Local\Temp\_OfficeIntegrator.ps1.exe
      "_OfficeIntegrator.ps1.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

    Filesize

    64KB

    MD5

    e871ad8475077e552350049c59d691e8

    SHA1

    482c6da817118816a7505be9c367208c02c6ac36

    SHA256

    dfbe586c1b2c02a9cfeedb67ffa32bef1a83518544ce8443ef1a8e0ff3c9c35f

    SHA512

    ac7b4cdbd5fdf97e64783283de9351c4d55562aff87afe38e8a9b6974599d10c37652a1ea2dfebb9fba5ffdc1550c5e960a5790256e00c33a5a4fce82e60677f

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

    Filesize

    12.1MB

    MD5

    949767381cfc5ade7615fec03b07c47c

    SHA1

    21b2af4ad8c9b9df4d845b8f021b39b87d9c7513

    SHA256

    1ecc27d44ba972cbe7bfc44093b8f48f9aa057206f9b845f3a6b0accaa8ebee3

    SHA512

    86c886a0b27a7d317922c1916fb88c8967065e6f49f975e9a0ac6e97264ed0bd2eba1921b0d9506bf8709e260d7b41ad97f4da4674b60efd338cbef7abaeec1a

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

    Filesize

    22.8MB

    MD5

    7a0d0c09ac906e8c1fff3fe412f6b342

    SHA1

    cbbf0592d0a712fddc12bf1dcd8f60fb263e615a

    SHA256

    9d8f0b29448c65d953cb81ac12b82ba120b6a49f74fceec64a42164783b312c1

    SHA512

    850f64196c2157e0e7d110d78a5381db2439e31a76ea1ffb7ff5a2d0a54e8a048602351f49449e5045f6e40a8ed84edacd7f306f7b75db0aa66b9ba3256d0971

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

    Filesize

    64KB

    MD5

    66febe309d5242532d81c8dbb7dab090

    SHA1

    547ae2d4c65e29de4de1425534fd0ef636fc6558

    SHA256

    79ef9fbbcf700c7422298f5ca8520c9adc1d3b18b77195278e5e7371a2b12849

    SHA512

    43c0ff788864b66fcef73de9cc558830da59abda512023e4fa4e768fd96be4c2e09744ed5a638f8bcb75f8e4ae9f401438d593d6a320dbacbf850f052650e98c

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

    Filesize

    73KB

    MD5

    69c22694036570de53487c1284c86972

    SHA1

    b64b7fe5c8c8a2efb5c4fa6635e90d700e0a30cc

    SHA256

    ebb7b1f068cf909fb03720266dafa47448e84d6ddb97ae032811ab1a2e752044

    SHA512

    5084a056d7c368e96283ed3f89150d1d54300723f0dc30f01f2b8810debab9aeca1676e6cfb7db861e63e763f45ec86ee02cea7e33a4582f0cdae411efbc87be

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

    Filesize

    1.3MB

    MD5

    50487d411e135f3cfebe2dccb852ffd3

    SHA1

    1035af9422a0d0c26cdc64c4e1583397a8374cd4

    SHA256

    d1ac484de7681d45a56444c5fb98a9309385420ae97492b08d06970bcd6ad823

    SHA512

    894db1dce50a07ca3d3f87ac16f8bef9e6a9b50cb71b7974f5877fee1a8593ed4fc4a88395249a5785ceee42b1d97950cc32581a0e5bbdc6d97e301d0f404088

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

    Filesize

    6.8MB

    MD5

    059418855521f2daf43615d52238905c

    SHA1

    0ccca31e8bc0b9546b0ef1cb651fab5de7035c32

    SHA256

    cbe121cd4547e23d2c68a497c18a2083e37c1a27bba695177e45196886a61a32

    SHA512

    c85175cf15fbbc53f27cdbf81a911387f0e283a514dd556cd3591f9f3c155cdd6f4adbb88401d78310a4b6df30d07a0e51f612f7f2d24acdc5225e3a850d4ec6

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

    Filesize

    23.7MB

    MD5

    4ecd4deaa1a16a50e2a8c5329729e331

    SHA1

    2df5c74462b785ae099942b76bf568cc3676b126

    SHA256

    862f8a0ca86bd2cb3c7bf8acbfea5187b304fe69cfb8002b5a152d9e11701cae

    SHA512

    3c41ed457738630f9d978617435e35b26eb9f6e271455c35884f9f1f2d657d0d90bb92db0ceff3966b94d0b537658c8b6ccf46583269eca5172f611cd26d1a92

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

    Filesize

    81KB

    MD5

    aec36fa93a1a013ba1d45c9c55947a60

    SHA1

    fa9f635a63a6065d3e7e34893409c6b83262da86

    SHA256

    e93387413cbe50eaadca51e8105dc9561ee47a038f8991c5b9bb613896aebc36

    SHA512

    cdd1af143459080d490f2fca6fba0762154e1b56760ad469e702ef8f87449f1de26945731049d65b442b55692dba3ff3814e183052f2fb3bce607617f847f91a

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

    Filesize

    94KB

    MD5

    dcd95ecfe78ed35416c3c0937260ebe4

    SHA1

    8fb78cf6abf323b4e7d0a60d1acf932de62a43df

    SHA256

    c56be9a580669d18dbdc91ba51d6895a540528872c9164993141b169db61fd6e

    SHA512

    dd819674c42a5c78de2c3fbb9da43400a017b1c719d7a6247fad030533a254eaf3032cc6cbb40340db0a655182138e85f60a5bc30b7488301f2475285b393629

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

    Filesize

    72KB

    MD5

    881b3f7aa6f99674a5b2827e4246565d

    SHA1

    00e09886839e395f3bd44d6f5b117d6067899ffc

    SHA256

    d5d9b32690410f8a5afa356b64173b669ede911411c3edc7593e276345d1dfea

    SHA512

    903abb2fd16cbc4394fcae38b24d5cc5a8909d23dbb88a823697c5e2a4a93b6abc4d73f2cca26c40c2d3928f2ef4932f2e6631bad1c327ecd175ee88dbe3cc41

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

    Filesize

    5.6MB

    MD5

    68cc903b4daeee9c7cd122e4d12a157d

    SHA1

    629b89a4f17a313d772ae15e1d3b7195d8dde8b6

    SHA256

    cf6d95d556907a4540b53377c2a0439531652149ca5c2e6325af51dde33aceb0

    SHA512

    e693eba19c23e69d9bf35baad9ca8e86190e5dc84ab6915a664cb4896590e1e73867e48cc8104e5fa23de3458cbf189ca2948aeae74810e19042865fb70b4892

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

    Filesize

    1.1MB

    MD5

    62c85fab425d58f798a5978ebd0fc9c5

    SHA1

    ddacecebb173557988cd3590cde9d09f8258cb6f

    SHA256

    664235e32beb7c4182ac937e2fc75d7a7b59e4277f9266cf3adbbd6ffff58b08

    SHA512

    2548c0c22d84a8e07c78d0c07b9859c28494c8d0f77cf52b614e84db1acf6ca242bc8b950d771937c2ed5db02d4edb0e0e523741036cbc2fe8541edf9fe54f42

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

    Filesize

    216KB

    MD5

    1b4e044a1f193e284e7b4c5be3e23bb9

    SHA1

    4bdcba7451015e9d08f7ee4eb1075f1b94871a7a

    SHA256

    446fe117d6123b4039192172cb785004775399bd8c9fea8f0fb6f70f95ee02c8

    SHA512

    c50ad3beb79476afe06db5d64c41997bb6b52d01c9379b2cbb816e984ca9a34fa24fb746c0687aed251633daa33854ae65d2d2caa6ce2ed462e1ef5d1af8ec70

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

    Filesize

    72KB

    MD5

    3f72d9b5d44712e93f2284ba71022ff9

    SHA1

    00c2ab20884a61b71c1ba9aaa19bec4b434dad4f

    SHA256

    616a40eb39bbcb3f470c2ff9cba0a68c6ca3e982ec88e1ee860c3ebcc025582a

    SHA512

    da560ccc1c6aec4d35906acf7f158ae1e40236ce5efaf028ca81a397673c7db10b5891fdb6868177195ce87ff759cd7bc988135c1059ca13d425b437dcb3af53

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

    Filesize

    1.8MB

    MD5

    a7e0194ad208bfb351e7c4e7ae319978

    SHA1

    bdbc2d48b36d104b7e37a7391a367f1d4d4506ee

    SHA256

    57d1ed3777c0719f7ff7b1250896ea842bb4e024b0f35853c6a55ff9e7fef76b

    SHA512

    bf99d661c81e240525c9ef1f5233b89783901faca7e5893c289a79c9bcf89f76511240746c8df70fa7a95f7be792cd013f1c57237a2ae47cad7ae84f89e3c6d8

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

    Filesize

    64KB

    MD5

    3c907fa080abb0da12d7b115475b0cd0

    SHA1

    a3efe7ae2a2be1f0a7dd61156814df175e063162

    SHA256

    ccc5bbe7a7ac23fdff5796c01bec0582fe4d761a96d25cb2ace44df778e800ea

    SHA512

    9fc8b5fa8deed8914ba6c259fe666f592741704eddc58406a75cd57b4339bd8a75ead5ef8747863225cd43341023e32f29b6352b0fb48ba39e0a66ebf8473907

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

    Filesize

    64KB

    MD5

    147bb063d0134cc17ea4874353c92b7d

    SHA1

    640117968b83d050afa0b30cfb4fee4c1bb22314

    SHA256

    6bf18fcd9f21b98d6efbc6018ad64ece9c8e913bbd31e99dcdd1cc25f2a6f56f

    SHA512

    573b68c01daa6fce505a1674479d91fc41a26785fc0ad8dce5a722d8c54b8d91576c2573050c76446920c344625882c1817eec32db0fb6f174cc4300229bdadc

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

    Filesize

    3.8MB

    MD5

    04a01f5dbe1e69c7b81d88296207bf5d

    SHA1

    903fd019c87f96ce55fb27ae93c07398d738933a

    SHA256

    17d145cd27af0d02e6660d4dd34d82d9d373cb2054553c73a48087aa2ec97b9d

    SHA512

    2997c41f8d724858017bde12a5e1a048c6917da3e07494524c3209c10d06fcc62a3ba1e06b567d8f07deb6663e7043969e521405d634337c2167401e1f90a1ef

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

    Filesize

    1.8MB

    MD5

    0203a9442cf4a2fe5976678c522f01ec

    SHA1

    c2d8602af7f62bd4ec4d00663f5ade58fa2b4dae

    SHA256

    62a6dd8277687715e6bfa6d216452399dd52a6dc210229fa9cef2c40246e11ed

    SHA512

    366884b74b2831baf1feed91e3fd638307763f23c070b45987141035e34f5ba97ecc5cab71389b9c91160b26dc9a1449cf73d2e4a207e271df8bba239fe0c696

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

    Filesize

    14.2MB

    MD5

    33a2a30077a0b43e6ff60bcfcbd03c35

    SHA1

    b953fd85189bdb54f136c5b0cfe707992abeb772

    SHA256

    7271f0601e42e1ef049ccd852fa12b891915de3642388386e65d1d7cfd2b4d9a

    SHA512

    c6a0287f2453f764d56a325afac456b75e1c78b331d49f91b68d10b060baddb28dd49bd460a2e70a89f70a45c3d169cd6e25f97b23cf07b157dd4b7b56fd649f

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

    Filesize

    84KB

    MD5

    7812a265d58c878c273e4c5afa154557

    SHA1

    b3d7c550edababae173ac4402610e0a9bee66e9a

    SHA256

    05fd7a71be2e66c4d4c418375a4a97bff7ab839ec76d9ce14d0cc2b618d584f6

    SHA512

    b5931b2eb28fe7e6670024c1a515421f1f4efd19df7452477cf8128308f64846a83d0effc2b7264192c791ed28aabc7e9acf3334c7ae4d67de36af16ca4d9c19

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

    Filesize

    2.1MB

    MD5

    ef9734400e2e1e566f5f053809c0a840

    SHA1

    defdbfcc4256b9fa25169c11d79ee939ca8e8454

    SHA256

    24ea61f9a9f0587c4d109aef01c7d287afaf7727e0ee3770b8f924953ef74d49

    SHA512

    291aaf02312ef9e2894b52beff63233b36ddd2e0381086f0b669546b1fad2c7057b167c867807d5669490524fbfa48ef5806965a07bee0b2a49aeb1b117557c4

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

    Filesize

    1.8MB

    MD5

    c7d752dd26f449a8dcabd7121798ecfa

    SHA1

    3509ef8d52c5afe6917c70c733a4ff4775dc9d3e

    SHA256

    eb6b2643b10b78e6722b67d76b3360275c1de557f8af40faf8c9fe453e0de89e

    SHA512

    73c123fd294329fbe687139caf958ff0d41b7f5218f09ee71195d0f81e8312f9f7083f5d9bdef6c1d9ffba81acb46b52f96cb0c8bbcdd903e25ab1898afd9735

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

    Filesize

    2.2MB

    MD5

    e7905b6805605df3855a84af10173959

    SHA1

    e2c8abcb3d4e2def8d07767c5b8cf01c584c3455

    SHA256

    1a4414235032af180517dccfc958714b52c7fc2ea0240df845823a47824e5312

    SHA512

    736ab27378f79f1590e454a3af041d2644c3ed3ed93b9b1352d9f93e8a77840132684fb67c0bbdeb71caecf11661d68fe80c61e87e526d66bde3788b5337c58b

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

    Filesize

    705KB

    MD5

    12961f64de69d9bd0ca9b59933d80716

    SHA1

    7678ca2374b56746c0c81cc0d780d6168595ed39

    SHA256

    c64c02b630f099876eeaaf379fc9d47b8df009f19b020bb4021b87bb4ff8c4e5

    SHA512

    94805aa940ceeac55123dfac9ad0bd131e39ff34a873b2d3b16407f4a786a5c24b01f635bdb2f285131cf6ba3c8346b0510fe263af5dc221ea0fc96ad90f3aea

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

    Filesize

    12.6MB

    MD5

    45917654cf97a0ce9775a1fe426101cf

    SHA1

    b16e7c141e929713e6af648b28ce2dbbeffff266

    SHA256

    1df54e29b9ed0bbe91032ccd04702b9b4b5f4eba59697ffe6fd2a965c4533641

    SHA512

    7f132ffd4e0da51215dff998c6f2e568f97288efdfabadea0b63018280f108628dc9afa14e52b02fbc35a9cd2e5553c2f50f8155bc0e08f1fc86fea68f23f73c

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

    Filesize

    64KB

    MD5

    0fa6f79ccdf044afe8112389f9f66d03

    SHA1

    bc0a7c76da6c0e4aa224475e13ff6109d9861268

    SHA256

    593a1113dc68080c1cda6f7cb6b8a1e9892309f19ad7c50eac6e72a2480ff8dd

    SHA512

    bd39a4839c74adf57571ef1563192e3bfa671ea1272adec98827bbb2458918915f9dbd1172cf05c489cd77ce14bd84db4c6264e8ac2634b0c3aba331cc01db2a

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

    Filesize

    64KB

    MD5

    d86d6f71d427082638ca7d71db038526

    SHA1

    4d64160698b8b363f2ee38a6abf81bf2880b34a4

    SHA256

    59047d31e522efe8a83d71ab845be2099296ee23bcf43f47bf0d0fb098a5760b

    SHA512

    c388dc7d28ac8033b43c76872078f89c57020ed70cf8f1cc18ae47213bad14dc64e36fd9809fd8997a6819f52f7e3cf49313ec50e1b8c1cfa3d217140f5a9eaf

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

    Filesize

    64KB

    MD5

    4edaa1971da287632fe458bf74d1d2f9

    SHA1

    d07233121c0ef6612de6bc9c27c19f738331a8c8

    SHA256

    2aeee0522f761323f9304e483844c5f6c62fbb9b231992dc341de99401070648

    SHA512

    cbc518c906ed11bbad793e2ef640821af4b41241bce9c72f93f6886ca210b3231211a19e272341cd8b42fad6b03dd96f20282251001570cb959610216d17ca08

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

    Filesize

    699KB

    MD5

    f96a84f67fa3395ff66358ae4ba3a256

    SHA1

    4f90c5978508e5127231436b20d5d5c56f12ee20

    SHA256

    78c79d0269b253a960366ad099dd1b715ed54e5ecb7769f85f69b0984cfe923f

    SHA512

    f38587c61fbd7de041cebbf5a72da3a5a10c37eb0c7441dcf301cfa00c34b514c4de31d6ab35ad17407d62efdab47969006e48d9666e27db483761836624c199

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

    Filesize

    65KB

    MD5

    914db48d01fc95e7697afceee25059da

    SHA1

    05af8b260d349e62676015db2342b5d7b718aebf

    SHA256

    9847aedc4ca90453b134444ace9c1df31af1cb77cccb017aaf41acc0dafec256

    SHA512

    8f05df5eb3d76b481a60febfe68ff9384953945bbf189c9a60a41834ea4e8b9abd34e8250b4ff2ff5dfebccda4d9f30f54b4f39660e8c34dd15ac80f395c5ca9

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

    Filesize

    64KB

    MD5

    5e354ec4bf27e9a4cac9b5723bdc64a7

    SHA1

    0f68235c40da6660f2d2f4914d8f6537cb586842

    SHA256

    32bd6eb0fde4e4cadc6d17413e593a724c01f00f685429c3551e85405101a128

    SHA512

    20c2c6c5629a612b61976f6b8679a7c8dd39ef84a8c70044dee8de9d4365bcbee4d078d0db7080b4520023674d60ad39fd2412ec1fee99a3c6f69ace91215b1c

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

    Filesize

    2.0MB

    MD5

    54eaeb7d2cc1b75b353ea2381fff7857

    SHA1

    a2ec92b2ba34bc29771f4ac71c18edf8ec288bed

    SHA256

    15cda4e2f365e51ed140dd5ad338e21d5246cdebe871213dfaaa861b05a58de0

    SHA512

    d765722d2d14f20a8354ef4142a67eee98a92b60a238429f94f6507cfc71719a4dee3674a77a025fec91ca1fec370998854c8ce99eb68c2efb5c555e4bc7d237

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

    Filesize

    72KB

    MD5

    3173702238cb151309d142ef9014d0e8

    SHA1

    42b3960f426b9ace6c0921f3cd9bf3238ae1178c

    SHA256

    df5f3891f3f7ebcdc4b44dbda1a2d3a58008136960e223ee047d70351e2f43bc

    SHA512

    1fafb18388be003ca7467d1ae35c3c6175d46559922d110e6847845d69ab51bc26a8f77bb328263cb431caf3fc3cd46bb1f7fe509672f14c1243aa962143662a

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

    Filesize

    2.4MB

    MD5

    3783cb22768dab41089082387490b2fa

    SHA1

    0730c4e896d5bd468726a3533aaed401c23371df

    SHA256

    a04e03ed1a505352b47c7e4f9d13718f14259b29572f4aafd52e1a515bb33c36

    SHA512

    48fe93e4974042571c770609b962c7e0d516adbf09a0529a9d03cee711257f288cb94219b6dbeceee9e34f50b9668450a8b2ac1bc35fbcb3611598b8e8b4b177

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

    Filesize

    66KB

    MD5

    03b07a7e8a7cd4a179d096f287cfd01a

    SHA1

    ae360c264fe281e086d211652272b82be3f150a7

    SHA256

    fc0a07a03c5ad4934e6a3734da34f23a5f4fe93fdfa6e9d3a9ca860e4b6f6a3c

    SHA512

    2ca20e5886ba36e9609b9954ba5f4e2a2815a4b34deeab87c289ca7265b3b2f42c260586624cc75c230419274b62930fa3887ceca07ddaa63a60e8da67059b5a

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

    Filesize

    64KB

    MD5

    de5dbdcd8adc1163924b0fc05f004ea6

    SHA1

    6d995ebfb1464d07fcda7a06ea63cbc99715eff6

    SHA256

    ef12e0eb97a0f27e49f84406592d901e729b80d27206ebcf648c39c70a6fb312

    SHA512

    f03c6502d16ca8e6a8b064a7bbe90139197842cc310e65d9df7173cf5cadcfe46526dcd6b98cfaf83d621717e3492b004eeba0a8a50230131af6d11e5bd889cf

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

    Filesize

    1.5MB

    MD5

    51a195aadf373daacf4deb030e53105d

    SHA1

    941a72d21c15d35775ae699d1cc4ab19af087e01

    SHA256

    5b4d2cbcd3d7a7b72ee0295e9f873a7f2ca1254696a5fcf48bee2e6512807370

    SHA512

    3ae6dfb46f70a307a4f38f72c26c1188427932e4a3ffd45d4dab99e04ceb063148b3f7b53a2634772df111acd350cb154b3f90ed3658f2da68cad47da405bb6e

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

    Filesize

    1.8MB

    MD5

    c50bf46e59cb6ad6d8ebb28493437033

    SHA1

    372777f875e1ca558e7068e887e90f77369c7ba0

    SHA256

    c5b57fc1ff22488bed4ec17176e3d5fc613a18ca06ef7ae16665e334c0ee58fe

    SHA512

    ad37e208c77a651ad3f020a60c4db221d785fd6a055ee9490544fe05ac7011f9300d93e5b0a8dc7eb63aa08d755419e7232f4d6e8c341f2e45fe1424aae0e6f6

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

    Filesize

    11.5MB

    MD5

    ccb338850b9e32b586f241b7541a7232

    SHA1

    4feca695d482231afd6f653cf731146be85c2959

    SHA256

    1543e62fa9ade6d4636ad15fc78d3821ceb2e517193ebbd85ea73a9fb84da2e1

    SHA512

    de1ff98b32c638aa9c7e57cbb3f529cfd1ae136adf39d2bd9720e7f67f80c230ff23f61f86740f9ce365907a05dc220c3f0f158933f3e5e9c74e281e6d495724

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

    Filesize

    16.7MB

    MD5

    12a40c6c5bf5ccd235308288f2a917e0

    SHA1

    79692b8f92bcafa27e7b9f8a7613d51687600cb4

    SHA256

    bd553a8c5af0e1741e9665824643d3f8ad3d7b1e6b16e537caf8d174bff95351

    SHA512

    dc8c24dba0616adabc7529adec3ce616907881d13637f4f2e8c00fbf82a715a252a46e5943794fd43a8af57bb3fdeacd2621b4bc1d4c47fd1a5b3bfc349a2199

  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

    Filesize

    940KB

    MD5

    faca58c5d9b3b1b0baad4d3ad311646c

    SHA1

    08852ecd68289a32b68a2d49822b17721f5ebac4

    SHA256

    ba819ea8244ffa34ab547b04b6e8c6b74ebef1da351819a99a26526f1412d347

    SHA512

    246afa152278f66cf98d214d65383e696e88493580b17df8b83df9d08cea648697c93d49ea98ae17de5991f5d75932afb92089fecc0a736576e4b741c3d9880b

  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

    Filesize

    4.0MB

    MD5

    cbc1413b3f0342ba01c96e11f4e3e468

    SHA1

    5d6be0ede680d1157ba6a32c10fc757d456b049e

    SHA256

    f2f2a427a85d5d7633c8524e35a059704f86b209fa4234056f56b6e1c48f890e

    SHA512

    0905912204497eba34d1ca46abd678d492fdb731a213c7e5a00e769ac0425ddfadbbb897a79d51deea2009487be2eb692b4bb579f4e399d79b26f24db99aa75a

  • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

    Filesize

    1.8MB

    MD5

    0fd69ebe919677c6211e8d405aa99b3d

    SHA1

    fc8718688880c9a6cb23613e27efd106b2cb3055

    SHA256

    c2a6dcc10697cd32ab921e0c669e714c385b7f9e309b6ae672229628803d0f27

    SHA512

    9afd84b7d7e192e4bfdce77eb57b6b331d9f54040f5e8d369a907a1d94488f693f6345a0e3142d15216438f7745bac11c2a6ba25e043c818bb40a8fdc3707a71

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

    Filesize

    169KB

    MD5

    9aecd6c075b5b581c47806ab6f14dcad

    SHA1

    d26672a555c3cdb21977dffc005cde35b93c2c14

    SHA256

    a9a7a7e812d572236395c6301b1566973bc8fb64a3022e09994feb60f3e370ee

    SHA512

    5112dbada8665a9b55830f0fc03b1ff10abfce3c8d5de33df96bc2213cef9e9a2c57b6561a7c65b18d2846aae2359462acf098eaf319274908437c7e6429ec1d

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

    Filesize

    64KB

    MD5

    d323206137d021bc3940d0583f1ddcaa

    SHA1

    008ab747529d01d660b9e736dde81ea1453826c2

    SHA256

    43cf5fb2b8a900c2d8ee45751ecaa58d354ad0556b1bc1a5aa88d51d1544d168

    SHA512

    9791a8bb0502022502de1cd23d93cd70f858e1ae6a3641881a2648fda68fb1af56fcc6beed98b426fab3127a453f87b9da6381bcf9f021128b5613fe2fcdf798

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

    Filesize

    883KB

    MD5

    f67424e568b5a31d7e4612d0b0f6c60d

    SHA1

    44a8c212b541436f51359575910c176c4e02c422

    SHA256

    b2b6192c0224bc97667f4bceadeaae59679f3dba8380d0bf735aa7e0d524db1d

    SHA512

    716065a9d1dbf01c7a76a44339b48f07846fa479c5fd7ec8a5a129eab3bf9d230e40dea9af564c7c472edac922f702e6e6cb85cb5bcda942b686be6ac54b65db

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

    Filesize

    72KB

    MD5

    d50a160609be66df29d77398aeb37783

    SHA1

    9507afc015133fd638d9998809db120f57bfbc8f

    SHA256

    c72a0bc28c6b832b541576beb4b5549f48ca34d684d80adeced670eb0e16c4dd

    SHA512

    a9fa8ddd9c586f8fdfd15f1223ecc1afc86d9b518189f8201e9713f85d1c45f647458b00ffdada0647d5efaac3907bb1b61219db45b048976e78b7fdf9a1d84d

  • C:\Users\Admin\AppData\Local\Temp\_OfficeIntegrator.ps1.exe

    Filesize

    64KB

    MD5

    38b2ecfedfd11e40d456f2ef5b94c3f0

    SHA1

    7918067dfc58e2f8ca4cfaf79cfb3ac607c58cb2

    SHA256

    40abcbba3022b72d2e94ebf1d5fef0a9c3307a571a18e511b97aa69d549598d6

    SHA512

    c1a08f52386afd474ee237a4842a7a691659b2768f22411d2cd4ec03f480f6e20f9a1a1d72f572a50f2fc3ee7c0027bb3011168def0d320057ad48a1978a1f23

  • \Windows\SysWOW64\Zombie.exe

    Filesize

    54KB

    MD5

    ca562f23a00b8f01c4ceeb05f66c8417

    SHA1

    f18a7c0dbb7417c901a6cf401b2bfc3b238af56b

    SHA256

    6c8f0da8d303ecb041b6f0e1415689dfe1c97364739024179254eb3873385a7a

    SHA512

    bf1d53e787aa559fd10a2969fa80dac35a9be5267be54cc4032d82852f46e984228d1a2968175af85207954fb6e041ae339b756e1110648f01fa91fce0acada4

  • memory/2208-55-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

  • memory/2208-0-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2208-20-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

  • memory/2208-13-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

  • memory/2208-54-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

  • memory/2844-23-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB