d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0

Analysis

max time kernel
98s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
Size

112KB
MD5

c4e82520323f9223b6a12c09a3f29213
SHA1

c20ed2dd193266def35d3f3cf4a63de1f1812353
SHA256

d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0
SHA512

9b91fb9b84d2dbd8a12fc217619d0e149bdae6bf7ec9cbb306061aeae30652b49bba10c4a15247a650b497c5291e409ca6eb239d91db8ee8688d738c0b5c04f4
SSDEEP

3072:9QWpze+eJfFpsJOfFpsJ5DPQWpze+eJfFpsJOfFpsJ5DaPxPX:Lpe+ewDRpe+ewDaPxPX

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (1367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_desktop.ini.exeZombie.exe

pid process

2900 _desktop.ini.exe
2484 Zombie.exe

pid	process
2900	_desktop.ini.exe
2484	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe

pid	process
2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe

Drops file in System32 directory 2 IoCs

Processes:

d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe_desktop.ini.exe

description	ioc	process
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\OmdProject.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	Zombie.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.tmp	_desktop.ini.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	_desktop.ini.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	_desktop.ini.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp	_desktop.ini.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.tmp	_desktop.ini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe

description	pid	process	target process
PID 2904 wrote to memory of 2900	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	_desktop.ini.exe
PID 2904 wrote to memory of 2900	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	_desktop.ini.exe
PID 2904 wrote to memory of 2900	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	_desktop.ini.exe
PID 2904 wrote to memory of 2900	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	_desktop.ini.exe
PID 2904 wrote to memory of 2484	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	Zombie.exe
PID 2904 wrote to memory of 2484	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	Zombie.exe
PID 2904 wrote to memory of 2484	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	Zombie.exe
PID 2904 wrote to memory of 2484	2904	d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe
"C:\Users\Admin\AppData\Local\Temp\d3dc48c713ffc3d99c3ff9b6855f4854f3e2ed1e9c54132ad91075762903f3c0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
"_desktop.ini.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2900

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2484

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp
Filesize
113KB

MD5
804e171aadcab32b770d9180a09613cf

SHA1
8352e84ccf20fa25d4194c2969ce915ca8e2d443

SHA256
6363a805b98dd1314259b6a2e1b2951d9c21d6ef21daf924269a15dd14320e2c

SHA512
08800b39db586065c4a0009534f563336456879302763d51fac3f2dda33a1c4711e06020cad38025f48b2cc5f24a5870c6ea4ec1d995889f7c4651f194e75069

Download Submit
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp
Filesize
57KB

MD5
6fb30cd0f48e34693dee2da22eb94721

SHA1
bb32cd2859bcd4a07b882626b28c81534ee11e7b

SHA256
946f213327b7e0571d02d2cba32fc708074a79ba91ed5791d339aae4b86ccddf

SHA512
1a8cbbfd425a223b2f19115ee9097e77c1453e077a5a2c7f8342c7776bdd1987f7983fd9958a85fab0f6b6545611d7d99df04ba19c213d249d88d160ef736e2e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.4MB

MD5
059a39428e85880a8f5819708938ce8e

SHA1
43d1c7f35f7447ae331b934633a338d4d970479d

SHA256
6f92d41a5c2b8a6a1f6378c86d2eef12a3392815a1674bdf9f15f5b454df4102

SHA512
47d6f6e78f58cb1bfe90ef22aaac8a38c0a1f77a7dc05e959b6283560b136ef24494cf0b605ee46f33ecc51cce6da7642fa903911addbc52baeda450460c7d02

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
eec3774ac8f13a2b037411490da811e7

SHA1
36b4c13c30d79799534e93de4fd533b04f6face6

SHA256
8f992e80745ef3081f1e30c3fc73c6f0b3248b9ee78227096013b55266356c15

SHA512
5daf715c8f23809849b7ce236e63da5213fb9efd01f27394f9bf8513e201ae2ee5d118c275b6747fc0a0c1d2dbb170532db3a84b214dc8d9acdfb0cb8f6c750f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
536KB

MD5
9983295ef8d0c65093f352382610370d

SHA1
a010d6fa9ef75041aa01b5dba23a29ae01865368

SHA256
87df7da1e81d84ed8e234c74fdd80cdf5ac6750962541c110ce54630916190d9

SHA512
3431fb6e8784cd2336caa7fecc0ae6284ebec7fe5881a537838ecb8d9995eddc7883bb9087430713c5be2bcf967b72170b66e8a0f3fb393f5cce7eb2103cc669

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.9MB

MD5
e60a2a282358ea65adc719b8757193fa

SHA1
5d26068911e87e8c329b63cf3474e0a598545d92

SHA256
c5f7ab64b3f566f068b75136ceaf7bdccf0c7045754c77cebf80808bce672a17

SHA512
786b12144ab7851c3ba355dc58d6057e4f7dffc872a29cb464d6e24e12d48efc0a9541ef60c04baa1937f14a69cd70344b14bb10262cb6eae512adea030b81a9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.2MB

MD5
43b324acc19842ea5c465ae7e9e5ee48

SHA1
b497b6ffbd3e5815ac9d979a73f5c6d503596306

SHA256
84b497a84e6f53811471c3ca822a9e52bad752b43dfd01d471704646f6b19d05

SHA512
ecbc60dc6e334fc15268c97744b32ec6164817075721c87b2fec669ba85d5b37de73fa0d3d70c549f253ca07336649ab681615d725370a25a2699b5b04203130

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.2MB

MD5
a418e88949b58c5b81d608cc13446340

SHA1
305e15ea7456c70e05028fb85cf8f71088d9b463

SHA256
1b473e4d9ef646359bb2440be4883906e0ff87ab79e7b244f945390cbe9709bd

SHA512
d95c0c4ef4c5a5e14fb88ccfde76e7889936db69c591b0701749e5ea6a93a5333f4a34726ada1741958631be7ebab8525608f72e442fdfb9f1d6f54ecd3a6542

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
52741290e12eaaa7ae5c5246b9644ee3

SHA1
76291cc5427209ead81a3eb9cb2940aa1c5741fe

SHA256
2fe1ecca1bfd6f87ac80cc9b692ea840350a76dcbefd91b38d26d5c2beef9807

SHA512
78134a32cb82b1245e95faebb3b9e5963a5001334ad0329e0697634998365d7b5c85a79eea36bae3d46bf4ab6d42fa113bf8f2682998ab41ac39a5314ea672e6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
c6c1263a703fb57145aeefa8efd56d02

SHA1
8e75edf02ec384745b3aeeaeb43005be531c860c

SHA256
5c8aa3af4ab5c3b179ac46d059130dee4ec089a6b32d2dfd5a8a6627541cc3b0

SHA512
b65bcb5c513502f8fdd3b14720b339bb3e49faff53eeb13d022d106df51ef5921678c5f0f07a944e6d875b60505dd1cd1f7dbcd70c2a0efeed9abb97bbc52497

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
87KB

MD5
0a420a396c98050c0d4095deb83898bd

SHA1
42c65bd98d0551e99f6b3425c4f41870d70889bb

SHA256
ab4267cc134a365cae915d7b40528c6724006dc835a13ffca63f01d7cefb9488

SHA512
5f4a4a4f944a6b1e526de9e7802164fb934dcfbacb9b1b1245da92c6cbb449b189ac3cc0c7e86987f56b46c36ddabaec19a706cf8b6befa8287a0c3d66511c8f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
202KB

MD5
f436ad92d5b5ea2a9b4dd1cbbf37059f

SHA1
42e2e7abfb4c4d6e91575bc99f7467326c99e7e9

SHA256
4ea6f1cd599cf94cd562187c4feee5313abd0e96613ea37d8c3f7e52e910516c

SHA512
dcf5126a14574ca35eafedbc611e97cb9628ef94fc4ae41fac579398eebf96d9208cf8462debfe8b01cbd0c99c73b8fb6a2795ff3845629623d15e390c1ca1bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
756KB

MD5
f6b283a0ecfa58954fab82712f430560

SHA1
9853adb9c7e914cb899c483d6228e79b8838211d

SHA256
5237c9113eea42a9495de370547ab20e558b1f10c44d9776a8b441ad69cd0503

SHA512
05a0744b2d30381506ce25403929c8c296c1c18550a033a8dbef1e9e2d43d1e08f23222577a266e0c908bfbf10c164509ae5f8d30a8b2b54427b978ee4ee91e8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
4c812884cc878c85c956b3cc369965f6

SHA1
5433430a3b7667bc4c8d9d867fc1cff34ecb811b

SHA256
fe679a871cbcab1d6470c8157ae215b7b6830da29a733b4f5aff05ad46ff26d0

SHA512
13731247031559f135f6e1d156bfc59759f849844f1141e02685fc3086532189439923493f53a890952118bdf8bf520db47bc96ea3fd20f806afb1bc069aa6b3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp
Filesize
1.1MB

MD5
dca42daf57c1b445e3c93c5d061024be

SHA1
389a0117adadf8b772b9380c21f321332f6daece

SHA256
935cc50fe3bc9d611c1c835f91228f05d50ce60fe50ab5a3ebdd25f7930816ac

SHA512
20d6efd572a8e4face6cbf053f1ab4807d24b2b05bb08016bb67912e70fa045e2d7933bd915c4a3ae26c95fe8113ca521c2ffc60fd015a09817d5b1fb740c558

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
ba64fbdc1abb10047314f0a2b73ec4a9

SHA1
3ece2e0d4336b00b692229b62c6e3f035c5f7e8c

SHA256
eeed5e4fce234031526c5f7fcbcee4637ea9fa1141678719eb85d2d88a02f4a8

SHA512
0911ea8d61b608bdc9f26a256bddb542561673e2665a609b8c60224e461fe6ab0fb0afac920d9eb77ccdf53315622995ab0a745549e96352b6a1205a8b78760b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
68cd112d19f1962357e6205bd16351d0

SHA1
a9fd1a2ef663186d0901686180e984a229f78f4c

SHA256
505e859d1c2b3d880c66332f671945ec8a21fba7da845fb85ee2cc3f9e5c83d4

SHA512
3cc83a0d4056cbaefe4a188e8702f6488b93b9d82099173d62dce903e2599576e44bfc59391f994c9de41a92f7c4575582fac52f340295c441992a690673516f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
cbcc3ff6c035c04d6b8839ed215459bd

SHA1
322faea68064180166052bf90bc8b224c0fc5827

SHA256
c3373d3a0bf1ae13790683201b447894cb4898151c0d7488adaaef649c4a2142

SHA512
ab99300ee437fba803ab8b0ea89bb71995ff319528beb9307b743e2ee18a26b6e741058168fbbd6272dd449f9e46f765003acf9602d31952fa682859e967859f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.2MB

MD5
360d62126e2d69a5264a3af94f7e37cb

SHA1
c75ef74b5ab855ff7c0d2874b74bbf31a28fd46d

SHA256
38513836756e09dc2e5ef94700e9ae709850a7aaddf61c8d955e41158f672582

SHA512
695707b8dd699f47da1a2c8948dcb20d3a68d601bade3c2d3c27d43da89897ec57a9b6a811c5aad0b84ed4199521443183241205ced2570bafa782258446aa9a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.5MB

MD5
cc9f864b2629bc31c7950f4b686e44e0

SHA1
cb0a17aa2a56d3d2800ae93767f1e7584a83958a

SHA256
af61bfa18bb6ce4d226ab0c7741ee24a41a165bc94e6e268840ba6037a3637c5

SHA512
7382d46898e863c2b7ac201308634e55c28dc5a93ad20dc3f9c44cc23631d24eaca2aa8016552cb29e3a88e1cdf351186fc2b2da5083618c9d99c643c46c9831

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
f76a99fde766645e7729eb2f05d13a04

SHA1
9656eca0a7aea85fce21924ade02cf6d8ceec6f1

SHA256
7e0631958fa59db2a30e8a8391399c1ba081cb2312b3d3140ccad9ffe4448706

SHA512
84f0d1304655ecb07abc49cf51fa551c3c343e94b0767db23c5f9ae25779d899823ae2948bad597037a921cb9bcd0e13582921c38c9e0d47ca664f513eae439a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
4.3MB

MD5
2a4a431dd330c7ee4c61cc3fccafd221

SHA1
7db6c851824afe14b48fbbc43a45a152a5bbec3b

SHA256
79698278d9743e5aa717cd4ac1e9c5f427492163f1da1bf89a679b8002567887

SHA512
73cd6f450eab9181d6d1be1c9ae9b6958e6aa5982bba458f71770b1f149dc9411651597b9b9ff0c99eb5c4781bd42249409c4f6cbea38e52ec46ad7c8c304610

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
1174128d5544c4e03a989e18e48e2595

SHA1
1c9cc57dc4f07b3e6ca2bcda815a005241016d18

SHA256
f73b8822864b643137441ba31c1b36e59e00354ad7d22b77b9a8a225a4b3b96c

SHA512
26e73fdfac4de5efe843b85ad6a2057ea2fd0dc59352f3c31f30a721ba197ec298c66d23a41dca0677761ec8c61b9ad7c2f88ef0e45bbed227487c304dc613e7

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
adaec14b0c5313665b44e4fc2f6d8d6c

SHA1
c1d6870d25f0964a3fc792cf7a527cdb4539d856

SHA256
c001d715e157e54aa1eb02fc8d3f4aa69d34285c3fbad6d2081da2a3e59e2dac

SHA512
38a0ed49bd21af00f00d815b34c130a2f40ac97ffa1a77aa3497a61e6842041fc11010525d5686f60cee6de2b5705bfd913ac92a8712f770dd47d0fb9d9aa822

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
61KB

MD5
7a71583a3244151e05c46bb6adae72bb

SHA1
bea84c720633ca008d65a36ea3471db194e14375

SHA256
fda615306ca4461b698c1a14a35e5a83fa9f33759762dd742600f0c19f5487f1

SHA512
0eb71d44899199893f81dcf2f37006bf8a590b2f90741ec5958c95065fcb4ef3c1e694d6da3921f53bf641d3945c162a5bbe0469d7caf6b0c63afad96e77802b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
0939861d97ee90531e3936dc837318c4

SHA1
659e1963754ff5d58b27390b1b28c0113a9f2d97

SHA256
df8ac9c6c74f2160350abe4da08479a399f59e624140ab28b2c7bc3a133fd3ff

SHA512
f4dd2ce5ec08a3f46f6e31e2c856f14be92f93e2428bc384619a47f1fecd9b737b1b0edc9d91c5570bc9f35a717254553d031dc52adfc656931866f2842b30b4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
2.6MB

MD5
dd1ddd7fa02675b253e50bf94d0ecdad

SHA1
b4fd359abe079223617fcd18f13dd32606540826

SHA256
14f613a912834c60c4bd1c9898f2966d279b5cdad32cbd2639a8648899d4141d

SHA512
76159d2a7bedc10304ec7e60bc3aae6cb103683918d77243dc841b8739a7f8a04f7e3e066d8fdb15404cb82e2f3bc3910b7833437e0929fe24600607b9f4a26e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
8.7MB

MD5
a89de2b0e233142b43e2a55b687c3e5b

SHA1
c6326eafc6f670d5e5db17cbc8e524757f102f19

SHA256
5dedf9cfef6fd396b767ea7293feb54f629fc551bec14fedde36712a3d4fa58a

SHA512
bceedf1a49f24afe722b8fbbf3a0341b41256f33957dd57d5d1a680df1ff33760d08142ec68401d5e3fccce4d12578b7395f0bc158d0aea152b19bd9498f1125

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
1.1MB

MD5
b26ec39dff75e6ccd6792552684d2c63

SHA1
4e4c31cab60fed96add8adcc892157724a8ba741

SHA256
7d2642b2b44c68f83b079278168641bd0fed3b5cb2b774191bf9f3e2b48ef2f7

SHA512
5c5639748b680451688299fb282a8611a2f88fb2ac2b799c45a42740102e96594c33e2b396c1b4ee3e0519ddd42bc363c28a2936f381e72428e576a05f94b89e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
709KB

MD5
19c8d1984ce941708cbf887d6279934d

SHA1
edabc1aa5f4bbf727fb6addf3b1001d189506b4c

SHA256
15db5e17bea6db6201c4aef5cdca1563af51b98fd8f89efc3feee22fe47babd0

SHA512
01c5604900cf7c7b16d3c8fd1599962f808de67c14a187fce3e8aaa4cf7486ad870569f23a27e4b7c1d188bee6073aff64a6fc8803497a6ecee879f9bb74e8f1

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
64KB

MD5
d110abf5eb0c9c40ea152c9f87958199

SHA1
c52be85a8f5a586cacda1e59a11892d51f600dc5

SHA256
aa3d2dda63386a18f00bd597046a7571538f82a583051715d418561aff602cf1

SHA512
cc84f19b6d8319e25fd27ea440ab215835d440fb0f74e6bc9a43da83bc28fdb84c6e03be35c7d43851ea2cee80a0e0df40cbefdfbfeb78944e13b8d531d13c0a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
15.0MB

MD5
e20dc2805d7b3442c154c0881e32203e

SHA1
585e6af2cfc04e2c9554cec9941c9e42de389e83

SHA256
6c0aca60f7ee221d91d3ceb6192d0579e92ac42a310b9481cb5812ed2f9dcbd7

SHA512
ef72f016454b28560f54112a465d01841f0be377b7ba956c3d96841986cad7d0ea1c5770921c9767859092e728f95771fc3d8294ddab79a4268a6845e48aab96

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
5a5a7cff6405236f84aa2403aeafc19a

SHA1
d04aae9b030fb2e484cea7c9ad81c21e46a390e7

SHA256
f5559e6939580e05bd9f709e079d71ea4f873112ce0aec0d3785f81d145ee6aa

SHA512
6bf7f4a08c3355868cd1d646b2987eb9e0a360747ce0f990428e23c237792ad1ef1ddfad94f8ba4709f28c918e76907602debccc21e3750ebcaf3e53169ec84c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
bcd8d13776d4540000557c4b8c685b8f

SHA1
7ca37572ed1fad79ea36e5e055ef04b24e2b3168

SHA256
db2bfa95a7242a4396970037377a5c9cb8ce8fe54b0e7e903cb67331c6363767

SHA512
ec49efb94d71e647f4bb54c19c424118dc83c9a8b34a1c5119105270ffbe73107766238e55fd985de8a6c6cfb449469e21d9c613919b8fb98da55ed1c4533d2b

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
1.3MB

MD5
c72e9bb315b9736aabd9671a767028b0

SHA1
68da09d2542ace72660731fd1f82bd8c0de3132d

SHA256
f9e9ee915a81222f8305404f11c447a36d53c25ea82dfa78bc2595ddd1797d80

SHA512
702fe3b3fec9a968b4adb9c3b82d8454b0903b5f34671a990bf418f6ed31735e22ec848097c1b0526fbbb06b7c8d6e8f58dbee1ff4437f7ed1861d8cdd536828

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
1016KB

MD5
5486becee98fb6ef4dc9b18785ee5073

SHA1
c146b549df71b3a84467fda95a9f7530db36ee80

SHA256
f10fe12a4bdba74d487e418a66044d5377b4af652df24a49c512ba96ac0cf33a

SHA512
2b501e0ec217d2b7b1c34c3131010a5a8473f066f314d8de07fddf694001be0f61fd6e6c74a0155e0c187daef15e007f745aebef4aac425e934940691e4d96c1

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
496KB

MD5
951c430656064e04b596877da93a6d35

SHA1
24f087e7456a7643ad1897e2cfc131073480d6b7

SHA256
2f49569d879e9d0ceba8c689b2e58119b1426c55ff13b3fb8863be2c2fa772d1

SHA512
addb6072f1e1280fa8570ff4f4f9874b67506207bb75826b2592e45a574b6c6176aaf5fa3387ad6f4634b75872b83f51f55b28b08cfc31875f540fddc8587382

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe
Filesize
162KB

MD5
5ae04e43a2719e41f8e13c7833aa3c3b

SHA1
b82ffc8c5668678d3832603f072104e60cab93a5

SHA256
7b132d497f268dca9e8e54b89b6ea2f369468117c139475815384cee5d8f1d83

SHA512
190c726b2cf66782beeda9d7b82098ac63b9306368dcecbfd15d938ed00c783f4ee33b997651d46c5d2fa7a1fdabd8c0629f76eb6b3ce01e58deb54051adf180

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
875KB

MD5
489df268b1b2ed56b981c0f226467071

SHA1
2509cb916672e39b662271ebdb85b596dfa77bec

SHA256
e5a9dd424cd786ab690a21b5ccefe3bed06917b99dfa80fe4a2b531ba2e7a509

SHA512
828964512bece68420f2b08940b3369f02d5ca487f8318420fb711b8dfe841ea4ae16134811d1989cde85789f2be19db854f01b9dd5281a7ac07da7e1097936e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
875KB

MD5
36cbbdf210520bfbb779b670c590f96d

SHA1
8705793bda981b91c64feeefe01294c0da398fa7

SHA256
5412accc087d4ae8a6adda111548a9886753add236dfa8883bba2ee9d903e03f

SHA512
224d3d718145b1a91f61ac3d2a1f936f02b623a179eb45902080ff41df58683fa3bace647b4b8da1727cff56515f137209c6643fa62e7b7491354b0f6c63a5c0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
716KB

MD5
1b13741528ed41891499eb22526f81c6

SHA1
1ea3df3c521377daa21ca2547872b9445fd989f8

SHA256
c004bab80cfedfd25640b5a7b90c0fbfef27ca48aba8bf6340f1390e25762386

SHA512
e3993e2a22c0a9b3adfa2befdbc5ffe4e5ea0c9dbcd4b84a5d342fd9a56c8aa155b36e79c320b6f92e5a95e7bb95df650f6cb79c240021c24c71e82595b66506

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
c80f7cd8117c000ff967f6d67217b0be

SHA1
90675f8e8696ea0d1fd71355acfcb2406f115961

SHA256
a9b8ff80992f48953cfe2f653aa87ead053121e031ee54906925e8754f0df7ce

SHA512
87e58975161cd724d6f96e0ce64a8259756389dee6e2abfeb59d9b19a37447da7b6b7d222b02893c38d188a8f75c9b0045f1b27ecc205b3f3c84497b96b7fd15

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp
Filesize
62KB

MD5
f1948a2831318ec10df9c372b0c691e6

SHA1
11cb6fda0410abba15e64b3bac7a7d3da95ce93a

SHA256
f9f780754235f4d16043ad70501972b289de55f190bf80386834933c7bd59277

SHA512
2eba7306e0e40ba277811a5679f47d4dc20f99b646618b954bc5070791e3e8b8ccb244b9dc7f06af2a57dfbee84ae0d63322abe51748c649d2aa12056aa1f4de

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
638KB

MD5
d5c95feb116e52589050418dee9011ec

SHA1
357e5fc2d090445bc629c31b68d52ba38217dd33

SHA256
da766caca5d46e7c006d3f850ecabf4fcacf48c2d9b3652f18a4dde6c39f5df9

SHA512
b9298920ad7f851f5c58d6a1d7be0d77c84574f395013f7547bdf37e58535f1a737b97cfd52452886725dc486d7cbbc267bc25bd4cfb49ce7c9d38e13ad86575

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
639KB

MD5
7478eb38d6f938728567f567108a4881

SHA1
cfab6b37af69a83106568356556b973108dd839e

SHA256
f651fef377b20e198f07ca564287191eee8f15f3cd32d6ab81a89f61e5183a1c

SHA512
35e582ea7478dedbfddaac00141b0acf6e5b79540af65bf28e7f9f0beca8c39dc84070042d108b10cb8bdfc45747a85c90dc62da8bcbe74a93efaef7cf8338a0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
570KB

MD5
11f4b3551cb10fcdc4d06a80bff11d1f

SHA1
3df1e09a9954e3aea46ec43d3b5519a941a25d66

SHA256
51d66d804faf1383891a5388f065f6ef7eabc5bb7ced5d3c55eb60ca58340014

SHA512
3c3a8ffdd4bddba62834cd1f0fb2e6aa28e4eeb9396845db9eb110c018d79b6e9f8e0cce0833c4b428350785bb50485aa79f2529a2431547803a5883a54b1a6f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
564KB

MD5
643c4a25894acfc8b4caf3350f176dba

SHA1
7282f9a4284cd055da054982bee181e828d8bf48

SHA256
60c33e5f7a396e47fc45026d77f17ac4baf0fc8fff8d1cec30a99bdb6d2c361d

SHA512
a1aca7539e159059ebb0af87837072a710412d0a0abd16c5ac3804f38f2dc2f0162cef84c9ba26ba91fbd2a9146c7cf11374fc467f1fac8b337db9348f3a02a9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
697KB

MD5
993ce5f92109391b59a904da3eeb9bb6

SHA1
c0679116856f54f6912272cfc8ecddf929ea89f1

SHA256
82fb75b67b02e813a2c802ac0d3f704bd3d993979130f1eaf427d08bc87b889c

SHA512
9b8f423986f85e207cedb66b0b75adf8d723fbcdf8befedaa2d8a9c8325544a689def6319864820816b287e088ee8e37d6e1d8d0bc3485a3e648bc197ba8cf59

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
244KB

MD5
9886b91a051ce4f9d1178acae894abab

SHA1
09288ea19cdaa5abf74cf2b401888c755411535b

SHA256
474b35bbec6e59b6d0ff92aca2d3bdb585846ecf89774fb04f0ff636c5672f19

SHA512
c87de898322879bc3fd0e6508cfae30fe24bc63956cf97a1172fe6d1f3960f2d0349ed40e04a9b873dec966f973129562eabad941e5e1c009b62210ffd3fa963

Download Submit
C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp
Filesize
65KB

MD5
b2d24018f1136891beddfbfb3899e31d

SHA1
9b3e6566598eb8d558c9601d247c4a8701bf4850

SHA256
b7055d708333426f2796a040aa32cfedda1fa3b3071dd5702d30fdd776489432

SHA512
c1d5f116599e68e0b3541319bafbb18a74910707af0c655b24f28fb6408708cd7b0bf98a0bcf4a85db9f4415b2b2aed87b0800e5fcbfbab5a15ef42dede53c37

Download Submit
\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
Filesize
56KB

MD5
df0047005d9d6fab9b45e9b9f19f9f4c

SHA1
df6d2f39bfa9c4e0766ff880e11685174bf6f1e8

SHA256
73a5245991dfed70b53f4460c9d03b0e22d13deef8adcc99e4249a4fa1c3fd3c

SHA512
b86c9f63dac6ce9c9c5f6247ec57837069c36d865c4d9c3f648cdc78bc8ad3d69fa2b359a611069cac62dcd312602dac9967712a94b423bc4ee513d90d9e90bb

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
55KB

MD5
635f3179495bd7afcb91a0c3ee62ae8c

SHA1
8bac5f85cfbc2d4846d4a49fec63bc041fd5b824

SHA256
79dd6dc8dae11609145ebbb3feb682bc99e92dfef4bed88641725383abb2b13e

SHA512
c405da174a5cdbfe3376f5ba6309465c842027ce82980e081c7bb201d71a3aa6b2162db22a41734c3365dcf37d5650bae856b4621525b43352939ca7394d44d4

Download Submit
memory/2904-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2904-7-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2904-14-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2904-272-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads