e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
Size

132KB
MD5

c7043c060d3bf97749dca86da6ac6b92
SHA1

e9683bce126136413dfd042d601a1d23118a9513
SHA256

e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba
SHA512

6601797c3629aa47f7299749d96d28bb431d189d3b1bb442a1b56262038d050982f4d90c9ff059d1dc9af561b0a06833d4366198e8c8915709e2506f7e11e2fa
SSDEEP

1536:V7Zf/FAxTWoJJ0TW7JJQOEK/KK7Zf/FAxTWoJJ0TW7JJQOEK/KU:fny1/8ORny1/8OT

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4300) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 51 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
\Windows\SysWOW64\Zombie.exe	UPX
\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe	UPX
behavioral1/memory/836-8-0x0000000000270000-0x000000000027B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	UPX
behavioral1/memory/836-186-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp	UPX
behavioral1/memory/2372-275-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_ChocolateyInstall.ps1.exeZombie.exe

pid process

2372 _ChocolateyInstall.ps1.exe
2340 Zombie.exe

pid	process
2372	_ChocolateyInstall.ps1.exe
2340	Zombie.exe

Loads dropped DLL 6 IoCs

Processes:

e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe_ChocolateyInstall.ps1.exe

pid	process
836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
2372	_ChocolateyInstall.ps1.exe
2372	_ChocolateyInstall.ps1.exe
2372	_ChocolateyInstall.ps1.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/836-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe	upx
behavioral1/memory/836-8-0x0000000000270000-0x000000000027B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp	upx
behavioral1/memory/836-186-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp	upx
behavioral1/memory/2372-275-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe_ChocolateyInstall.ps1.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.tmp	_ChocolateyInstall.ps1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jre7\bin\ssv.dll.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.exe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe.tmp	_ChocolateyInstall.ps1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.exe.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	_ChocolateyInstall.ps1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	_ChocolateyInstall.ps1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville.tmp	_ChocolateyInstall.ps1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	_ChocolateyInstall.ps1.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe

description	pid	process	target process
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2372	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	_ChocolateyInstall.ps1.exe
PID 836 wrote to memory of 2340	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	Zombie.exe
PID 836 wrote to memory of 2340	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	Zombie.exe
PID 836 wrote to memory of 2340	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	Zombie.exe
PID 836 wrote to memory of 2340	836	e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe
"C:\Users\Admin\AppData\Local\Temp\e8401061dcfbfdad9b8989efbc7dd16f61535a7b52ec7c724d87fb3d89a567ba.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
"_ChocolateyInstall.ps1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2372

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
Filesize
67KB

MD5
3a4805aadd3f64b2319dda4b9fe832bc

SHA1
5adc97a4e33fc4a9edff6a494b7e94b1b55c2fd0

SHA256
c58f31c6d886e865a9fdbf185d26b26989e464b38a797fed61df5da2dfc65243

SHA512
012444689a3cc73b96f88c4df1a5d9af0fe8a952a2bb0e461ad1e197401595257e7c8843a2c61a31fe8e17a15b38c1eca47a49881e362f8f6f9eb350a30e7627

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
ba880d3500162d8c4cbb432ed297c912

SHA1
f268d984461b116fef3997bf06f648b4ea3e93cb

SHA256
1ede0d9893697ab82ce2ffd94909710dcb5c62269871b0b4636e0a7cc49fc390

SHA512
764995ce208c0337b5f08167c36a99400bb7475b37e7bf2d1e2d9e411748509ce2efeffc367cd5c36a0bf8bc21dd88571a0368d46754c230808912bf388b75b1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
68KB

MD5
4081de47ec361ba22ca3aed4facd0324

SHA1
0c1f31249cb3e10591aba69b1ff79b100ce33ffc

SHA256
7e087e802991de2671222de87911bdf0ecb16f609c00bff7a3274152703d1009

SHA512
53f6d7eee322aeb136f4e0ea17dc3587e2798896cf4067f0f37c80d724bf6626ac88c1010eb5f736047d09aa05cec7d34bc11728f913191b958214fe3afddcf6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
680KB

MD5
e04d269d23ffff066302e5b3a9c4b9cb

SHA1
2cd80e5c734b7e918304ad96ebb42b1f334eb079

SHA256
25315e406d46fdbed6b2387e8546edd41969c0e04bebdbc177a61800bf4c5ee7

SHA512
8e747f6b421a935153bdd16bf59f1f9bc02c000fa59937cf96973bc89c6df9f1795862c854926338fb4ffd9b383adfb4e8f5c821d1e4b9c22dc60cf17e108132

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
3.5MB

MD5
b2d7ae6aea22095f695463a26f3a0fe8

SHA1
e4e78b1768dfe1bc2e5ff7fea1022cd6405b6eb2

SHA256
d615d0c0f2ea7e02c2e1fdb4cd1b06afaddc8474242fb7e38aced3647757d7fa

SHA512
6984bb61f4aeeb4589b1e4579fd2351130cb890c5fd7feebd6082885e99d06835779aabf891be3aba1854422171d8512a81c068fb4043bc8eee983089e8c7ed0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
23.7MB

MD5
c3c8cf16447bc80816fb97ca46b35ac9

SHA1
69a1a8367a0b634c9986bfece1af3eef67b6336d

SHA256
484926c62ec5dd7611c3feae6632be71a83b900e38288a6ca314007fbb2648eb

SHA512
1aaabf3ffffa79c848f68502068bbd7e574944407783e3676aa4a3d124632939e1ce2ccfc11ada0f82ca06cdbdda2b8bb5ec852a6ccf611f549ddb61646c7b22

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp
Filesize
83KB

MD5
036c2183de96436616e997af453d50a9

SHA1
c9e4a2c9911a6179eda2c6e2924cbdaed95686eb

SHA256
432d124cdc2e948b36bb4be89694839d5f8f0e1a969eda7703ec906cc6aa6785

SHA512
d0d177cd1a034a89787358219d8140617e8bca608528edc71ac603efee40c68a238a650262bb98ac362cd137c20d42b08e8eb0476ddbd0225142f9d774302237

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
97KB

MD5
d5468998ae70cda0c82e9724681f607d

SHA1
ee76c19664662ae037bf17aa6355b28a6676e355

SHA256
c531cf4dbdb1041f0198c8fd18c247d191a3484a55c206985478655421924e9a

SHA512
38ee8cbd71929aef007b20d454076690be75f263246c6beef4a74d10bbb1d6128478f9033c8cdf2a5ef8a30a2000137ad3c993f7d2bf08b3d3737574d1261cf5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
212KB

MD5
c9c71496cec5444c957635fc773ecce2

SHA1
9deadcf5ce220ca52bdbfce7404e534d1d9a4f68

SHA256
8e84b5f7ee1ce9445fa8707cd5809575f72f129acd247e1f4e114bcceefc4468

SHA512
409893e6e48a2b0f6200f20f1d45884066f6b252b4913fb7081ad7778b7ecc98cc9c27b2e3baa55323bc7ece0ed7f58d939b0786cfdd6d0acb886cadef82d5d7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
276KB

MD5
2d312674f224020b504ae02a9b21d4b5

SHA1
0f7a52d12cd30e36d6ee1b2a3214c8735783ea50

SHA256
c774db0a2be45b83c52ab6a1d3f2a3c1e974bafc7e2f649c8baeee0e4b3d40f9

SHA512
a487f57b1c5f8dc6b070ab07b65872551f8a42c6581987e41285c4e0d9754f4699c28b84320d6cda2e985979e593962a990ed4fadfaf7fc953a8d52de6ed78bc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
766KB

MD5
388d110be87c35d7db7df66dda8376ca

SHA1
f7bc210bfaa64d365740a2c41db63bf87902276a

SHA256
eb084f1bd8bdceeea92eb95b60f67b01e23ebbbaebec63a10a28a44015be80f3

SHA512
e7d6f646f4744681e4280a65ed3ee9dbf8475136d6ba2b5c28f1d5557fdd7adab433203c428391183622802447cf226fd3bbf44b8c6e618f025c469a8bdefbc3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
766KB

MD5
bf58194e782b384c99dc46e91ec4d81c

SHA1
40d8285d24af97e62e3ebfa424823c5a3234a046

SHA256
056dfc7aaba9c87662accd666c8c21f2915ba9d545c1c145d8b6d4c63eeb5332

SHA512
c7c29b58e9492af34f45c4ee3737c8919957648076b64c50bd9b093cd098d20ffc55bd94367b40242a5d2cf721e16910768ceee77ab473b5fc624cb2a2ce1762

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
72KB

MD5
1e422a923a05343d9b3c3bb09dccda51

SHA1
215aef0ff808f1b4f082dc40f7f99c6b02c4b81a

SHA256
5ae9610859ecfe8602d494bcc6e8fedb617b88613f2dbb09ff62bad76f9d4395

SHA512
3a6724db46de8dcc92d791bea0e2247ec4a00e6d2b5bc026bfff37aab020d28499de3ded526b85fdc17b58eacb0fcd68bfa4438a5b9122b4db9b39eabdf5d293

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
1.8MB

MD5
da94dd4bf8f09eef84bc2453539d20ac

SHA1
0fccff75a0e98b1e4ddbc6e537f31d7590434a55

SHA256
2d26a43e2bbcada0807d9355c6104853cc90a828a90444a8eb2ffd015fbb8ae4

SHA512
0b8e7b7984e4c92d104319d30be17be83667657d95eac47a8d7e1ca3c144fd9c3c941161b08761ed2f891eff3677dfa70e826af5c3cf01c1b8740baac50c754e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
704KB

MD5
2385048619d3f03aae90dfab32f95552

SHA1
f68d9ab3fa6f856b2331344229eb55123180642b

SHA256
acbb17e4a920d1687ede91b091812c6104f6d82d1213903b4daadb9b4fb61700

SHA512
6d7261c2260e61858f4ec0e0f5224e6bf4c2541778f118a220cb64f029c7c8e13c09a3579356c664dd67dd98254c57663a9b6a214cef01859cd9a40b6db1acac

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
0ab294df5ef34a928b4583b4f15780c7

SHA1
d48189045f61466b2b4d289758a2ae9150b37233

SHA256
262714cce6a1f22445e16e4c9ec338d645d4284093ed8e2c3f1d81a217e85a8b

SHA512
90e7c08a27a197161de101426ecb64c2b8ef8e63b9e10a75032aa3d42cdf6b08a7ad16c13931a6f7f31c97c330fb0e7aec749edd4dad7af1c0d59370d2862ce7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
2.4MB

MD5
2a6ba3590109c970541c4da69cb985fe

SHA1
ba93c2000b2ec68405b018e167dc922a34ea8d70

SHA256
bb5734d7c346a73dc691ba69186ecc931e4103ff2cfe9cad0cc47b69a3cca447

SHA512
cbf45a1d400a856e1fb1b4d09c25e369b6d472662db9295b028b1ab9351c86cb5308fa5e0cfa9c306e6e6e326f76dad8ce04c27ca09f4fb0450251f6ba8eb9b7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
9.6MB

MD5
36bfc97aaed2a54885eb62d5534f3b7b

SHA1
9f99496f51e537e5ac59a39e26572528fc09beea

SHA256
703b06a51528d74fa12686f7181bf398edc730f9600b2c6b0b8d1254b9a8733e

SHA512
c2f71b4f06f8b5f7535d103f1724ae29b869f7110cf30308fdfa5a4708b23d0fb2fe27c274ac0eff8e72213c0dbfaa7781c12aaa9a033f15c66d3849c7af17a0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
1.8MB

MD5
08d83807c0afab56347b7216d2a33ea8

SHA1
fec1f0bd5488da0ea641c0402432c1c359bc8216

SHA256
ed092bdef92d3e81d2a0c25be9c45920b8eaecd8a488ef7407c04fb5c7d37a04

SHA512
005dd843b9c2f3022e07f645e6e69c319011f5181e18750f1f5bb6867cc52dec18c9c899c2eec0d25f40c4b46f8c3023c79bb3304ae0d597891caa7a5416dd5a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
5.7MB

MD5
0e0dc4123577fecf8ae389edb53b17ea

SHA1
caaba631cf58b83ca450be26d3916a0fc18affc2

SHA256
c46e7b763c1cbc81da92c5f6f4e16abbff565075d76a16a7d6e5d12777a689a2

SHA512
e2594c6fa2831b12459dc894e16b8977c79840a1dcb5429e18b3fd0ab358b07aa838b272fdd01543a0509f9e82fbc1616edb4ece5cff98920aa0e1a58d89e591

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
14.2MB

MD5
b50dbcbbd73e3cddc4a69a61aa0f7d46

SHA1
ec6a3e650032dae1f89c224e2a8490d6c3b6b6aa

SHA256
b2bcc36e647ce94c96203a6e10502370f11ccbbbdfb65576cba65c4b03894c50

SHA512
5d8caf24642162ec2d6460094d3ce07a2d9171debc577f350b6aacb38e9c8d049c3454899486900b3f35aaee392e66fe4a1a55f748ddba27bbe6f4b259314c24

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp
Filesize
2.1MB

MD5
d33bae096cffed172c302e6f2186a434

SHA1
e5ea79094fdfa44eb5d27925143e9323e05ef093

SHA256
5bb05bb010feceb8a03d589f4ad56e82302827ef40e0351e135aa7a84fb3c742

SHA512
6c95e017c5a4d3c5441ac1fa0abd42bca940ab5966f66a1914b44cbc6974d961146f48a47c6672e47682e3fc43707569e7089efc7e08eb2000e614ab9b19e4e8

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
71KB

MD5
7e5bca3c2e164ee47daefd831ba0efef

SHA1
6a4fcc450b50a3b798a7c80009e8a1b4852af8a7

SHA256
173cc473cd0a09a55233934221292c78700867d5d9f6e93b384fbc0f944ddc76

SHA512
65c91b05b2f28e5c6368deea7b19a90161e41a50e39bfd74c2f6034483b1c00bac7c7ce6af4ea2f380628dd53210912a795a544e6e58b9de285c961c4990b2b6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.8MB

MD5
a789ee5038fe0a0d64d09ab583462eff

SHA1
daf5d125f899df5ebeba4b18b8a493aab7245fb9

SHA256
7f0d213084511db17bf9488eb6c4bdf569d08cbd252899792710ab3fe2d61861

SHA512
bc2946b6745896cf75c56d14b15c28cee7c38f04498a30d5f998bc6221e56984ea196bbd4b207512a1e2c4432240e38371521b61f6dea00f8157adf6dbe1592c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
8KB

MD5
07c89738f2855c14f71cdde144eaf9f3

SHA1
5cc29530d3f1f734fd9b74ed264b7978b4336295

SHA256
c146e1696045b37a08cccd0f82f3de3e023a9b016899c675438f5483280a11c9

SHA512
3ef9056bf807a0d1efa22b92c0624dfff9a5f199624998b7be309d4bfb4a8ecc34ed6aae0fbc63c12e14e9fc35283aec253e8fc8b1baca9fa30073b52edadd18

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
1.1MB

MD5
ebfbf7f3e0572190d7c3cbc344501e30

SHA1
530f3d13a4e21df3f97047109b3e80015dcb578e

SHA256
a6b00616fe61fb576da60bec77321ea12595ef5873e6196c7eee8129c3f33444

SHA512
f5fa14422111905833f4fdd83b85a55bb6a5783df5c8f114d0c9baf59db773740ceb91fe3a85c4a9e2394d7bae4c6c24ca5e14cbdd22df0292c5af39ec5c3d34

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp
Filesize
69KB

MD5
9dd04b2019b77d59dd8c6924e2bb65e0

SHA1
e86ebbebf48634f97f1758ffd5b839aa7df3971c

SHA256
d35296ee4a66858087ddaf8072496b59ce64460c47f7ca9ed8d6f20c99ce4328

SHA512
0dc5e4f9cfd4b1e746fabf304d1a7c9968a4e6f6d591f3d03d76ef63ec02c7992e166c2acd63b4798a8e57e48ae120bc60c8389eea711f03777c50d1eb5cf643

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
68KB

MD5
4c122968aabd977a567151809da3e521

SHA1
52ea77a4ea43107e8bfc5e723afdab2f91b7b8bf

SHA256
4fe84eddb664c318f908518b01070fef35c81c8e8c049ad72ad8ef945179efad

SHA512
78a125a97bda428256182392c5c4b518fe31701c9cbf830385168ac0bc7d9b958224c728d343907a70a9e975b7e906797cc07ab214bd6062c97d0ca487d66311

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
432KB

MD5
496cc66adac1f2e4fa5d9ae059f702bb

SHA1
425bffb1b47105b3779f3f4342df246b5535f86c

SHA256
50f3c18c50783d52da610010ccdc3edc72488b7e52d5dc9e8586c07dfb5d1238

SHA512
8a21e4f88d649f24b9e3bd26213ac77e2748daafd11a2f4e5524f02cde29f31fe86f0e71199c3fa9ce39030202a0c9058b4738869f2644e5f41c0a83948ee6b0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp
Filesize
68KB

MD5
4a556b9c696506f9adbda54979f52b56

SHA1
5c2170bd82faab12edad0aba9145e6bbd53ddb04

SHA256
66745bc8102a95f362e316a5725c2fa008c0e5fc2f4f19ce1ec15a83f8e71e2b

SHA512
48a00ac3bc04cf9aff49ded3005dca1be8727924dd2404cd6357c6e5a1d83d4baba27ee913fda5e58f5c8ae880838b886ea2455832aac57c3a5f620d61450fe8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
702KB

MD5
67170d3a71694938652bd9142ba94417

SHA1
8d993fb2e109e718a2a041a731bf32831c35f383

SHA256
fbf10e5ea7e759c9e3ce96f2f795ffa634bc3a73bb7ce106b1aa0e286897739f

SHA512
d91c31b7b21d253b2ff79db2aa6b5aba1a46fbf3f90bf52290c0caf647492544be539a170e0fc429211255a74b4b935c9b581266422ca3f06436b7f0c63c7f40

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
702KB

MD5
c652963e6b2c098d4d3728853d8b5168

SHA1
ca0d5e5376b1bd612e90c0013b9b73172197fd27

SHA256
634b5d4920b0cfa8f2d0e4175a1ac1895d8b71fa6d9512a8bdb498fddc77652f

SHA512
fd52b5615d6378c8e5352578f979bd309f9b115cdd344973f74aa04e961db32e48c71f6d5daec615450203c00c5f699ad5c2dfffb7eb92beea01d3ac73c58f70

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
72KB

MD5
f8b34b536bb0ae0fa874b3278ec0c8fb

SHA1
9227dc5389bcc3804a32a843c8a3659534d91be5

SHA256
d5d34cadfa5613dac12bc4d3d581c4e39b28466a7af135e30db5a551c62add51

SHA512
99e407bd73282795eee4df843ff93011b9c467f1a4a853d01bf49781fc76b3f23fbf9f210b49bb11c4e639e59ab6b48fe7b23fcc1948f3d7b44e58a27a98640a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
0094053d65d52c38989fca26227ec65e

SHA1
08453ef77b3c6038bda9cbf48e4a016cb74d4615

SHA256
a6cc1b34435774b5d434ba42bfefc9ccbaa3320783605da6d13ee8b7d77b8ee4

SHA512
f3561cd2ab277e01ecc1d436fe20bcd80b82f6bc33fcfb6fea9394bd1b3ef39fa2d271bb4168674b4cce5b6eda1df543bcc6d83b211b97b8565de751caa7d052

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
2.4MB

MD5
816695a0c76c7fe1599b51b14deb9017

SHA1
12f9410e8f76e430af577bef5eaf5f5587f538bf

SHA256
65786694dc0adbcd1738176bd0cdb11b6dbfc85a13e391615a0d2da348d09c38

SHA512
6a64c872bcb8e0753df00c3c7363d36f20927bf596ee84f5b9bd132f3ef8b2ce55cb33750ec8ca267c1696f947220596c9b2b1748d46e6210261b110943d6b05

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
64KB

MD5
b181b5b20f016c5983a739434451b822

SHA1
69c2aa54aedf8051bf7a7e2cb15be616e6ad727f

SHA256
5c359ecb6638f8f15105bf12433452727bc805d43e41a1bbe3396abb990885e0

SHA512
d49bd7c5f59194dc7c9d61a3afbac0ad94f4068dc6b589054fe31b28229f31d9473c2e81e5c90413dc94bbd1547eb2f07f5c721cb5290371a52c38013455dd1c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp
Filesize
1.8MB

MD5
6e09f02c802e0a74a233bd055167ad86

SHA1
e339cf7e0d516dd9a7ab458cb9be5f4f1b167a9e

SHA256
7dc14103ce94c446a0309312ad47dd8fd38a8b3a3152fb97109629b765d2689c

SHA512
ca26734b78a287f32f35e7560f443dd0707e44cf11967d65cb3c73c5f3c6e8cad6290485e293ed9185a97f2a672420869f790824c713c0d554bafaed20ad0636

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp
Filesize
70KB

MD5
95ff2cca380d1b11d7fc8e31b9eecd60

SHA1
a2fab799979b1406c38de4bc036291ab8c78f5af

SHA256
650398f0087e4a18d92fd33fd42d004f8e4fce8ef1f1d1015d6ba920c288f08b

SHA512
b86a5a6951cf8bcbdf7fe6f1122ae6f02e490252e0f02abbca8208dce86111e00b7f023e6fe33b296802f8a2e75cab9e898a43f37b8973fa8a80a45dd40253f0

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
Filesize
4.5MB

MD5
2460bf4c590f22ac7e11a1fe2a355edc

SHA1
2ed4c4e3357e9b4d655a2a57f6eea6e83df75b90

SHA256
1ab2c4f3a36d1450951b281188cfcffb0434cae6556c1c9cfd272fbdb27cd74d

SHA512
a661f1297727108a341c2f278b100ee55cdd142a7d204e48a1b2d0d03cd3284818025f7755409c7e2842f3de826169e3cef4ca249baecd5325aabd3b5c361a9b

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
68KB

MD5
60b03f2da3d4f7db128f168a3d83e528

SHA1
61c5a4633b4a618f0a179869885bb1ebca1f8db4

SHA256
b56d07463c9955cb370bc1f27536ff0008b3f46e9bad8d5665d6274f0afc746a

SHA512
2e8c9662df3c992aadc42bad169cb93496bbd63f79fdf6513426b9e8e6740bc54fb5cbd2a86c65d0d18226c99c4ec3fc625e4f758f15e80d7311e71c3c1e0b43

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
4.0MB

MD5
257ccd1e3950c0ff388865ec33427a2b

SHA1
9dda63da9db5de93a3ff79cb9db229927cbd9fb6

SHA256
b6885035395607098705b8da2402006428d051120db01ff23be01b437ddf31c0

SHA512
f99e7134824c51262b16dc807bd853dda9a567f9d253e305f87a9debe110741c8585812157f2de7c45a00ced8e138350177fc2cbb13143a79b30a6181119e543

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
33dfe0656fd589ec6a4123c66dc90de6

SHA1
51c108207441736564fe6caceb027bad55c3b743

SHA256
85ef692cec80467d262fa0258e75daf99c7ed6fb3fcf8141b3c61ad993405a03

SHA512
3d12b1314decca1f782c20f4064c7780f1590c6809d613defd9aa6ec00a6784bb8003af6d587fa183d536750d4a74e7e15737a29e15156cda72c607d58826db5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
172KB

MD5
9c85976c73f8a68d0603baf9a9b99274

SHA1
c4cf518da1fc56ba1d272735ce26ab3ef07c60c3

SHA256
0e96f1907e7d4aa94d94b9808047047bbf646868d2fefea1a88719949ea489f6

SHA512
b28517b919eaef0a81996149c591e299ab550e7b69c3d83fa03bbef628b0095e56772f5761c4aec25cea8d156e29ae6c2afa41809292275beb9c8a290da69681

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
232KB

MD5
ad606ead004b87c39ad8a12e465839d2

SHA1
619676e40a6e7c73c8d8d7bbde8dd228b902951b

SHA256
51429670be2102d9b223c817a303abe6da17fe108aeab77286f3be14ad055c02

SHA512
8026e8707ac4329205e2d1fa0dd8c5ecc425f99a4083cdd6387222f20bd34afecd7d94d0228bb4c8c98c90dfff2828f3943c2dc0cb7c7789bfe92cf9eb83105f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp
Filesize
13.7MB

MD5
8fde2d5e5ce5b868e0b68cb2bcf18a26

SHA1
82163679d0bab5e84069580f44b8ba82589af773

SHA256
2e698e1c05ea3f71e4f6f2219267dfc382046784d254e11a2debecd6bdfd27ce

SHA512
1151be04bd00a9686ec238a32186cba4bf2c1480113a624548b530551fa6f233f3ff0fb7b41a35bab4a0f7399eb1c1111471e9eb40f36756b4d9a0cd34fd2f23

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
663d281555d00eb7883ba8cd1e628949

SHA1
8e5a44ee72278beba84fef3394473d13d729b21d

SHA256
25b1f06ca518522f75d707bd2d51391a3a888aec2c75830ea589a63145d728b5

SHA512
4e14961475e4b687c8acaa9d1484520a43c340b2780c81930c740d6065a26aa0e8fb7ee643bb63e01dde1d894dc0e06331ca76e8ca5ec6a1c82aaf4ce58aa862

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp
Filesize
649KB

MD5
bc328a415691b2a6bdc7f44d02a9b2d6

SHA1
74e7eeba6ee83411bf1a55481dafbe4fe937d0fa

SHA256
23be9c6be2a2d5bdbc4c70053f78d941ab13e2b33f2d89259274ff6a32a0f814

SHA512
cdc7ed6977821ac8293ec82a77ab2b2a45cf1b5a8f6b65a8efab3c0ff978d914d04ede9f636d85ebe37734847d6ab601b0c340fc30f98d55d228d5f72eaeddb8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
580KB

MD5
6274ef60818096118a4c0279cfa629a1

SHA1
e83771b8a066121da039e339a282bf472a744835

SHA256
61d331889f47152d06d25433653c6f854869be22377621d3a26b43716cb61b7c

SHA512
9d62b8ba5952f57ce3b0eba5dc1e0834dcb0e8736637f35732ff76bfbe5f5dac37a3ef7723c261639658b487206668cf1c5a1407f32acc6e849d9d4a83efbadd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
12KB

MD5
db5074e455452ed93fa4ea03c5770354

SHA1
3472fcd9808ad35e9214144e76eb75b21d88a786

SHA256
d700681cd14e2829e8170c383a023aa3dedcf20964ff03644ca81c533f7d9424

SHA512
aa862b76ea04967d46a278159cfcf8412a4b503cf1afab9b61ed97ba118450917f8f7a4c004fdc6f057168ac06736318381f1679248a18aa91e6ef0115ba2bf6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
707KB

MD5
11e3c10140d7e4fc63b6a556eec79008

SHA1
c9b504d3f3c493e6abdc725ae2e903dbf0f21a93

SHA256
b8302be13a426e8eca455dd2f74418aaae69250038c0797f90354cf3cfba8a95

SHA512
fce5ba945d6fca62b10358a987a7c789cc965345fce622201e5e71a85b09b18521fcaf8010078558a5390828f24607d72b26f3c99cfcd607e653eeae5cc51b82

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp
Filesize
1.2MB

MD5
d991173d602dfa56c2623e620542af5b

SHA1
7d2062c5bbb93389beb1e43cf85e428052e3643b

SHA256
9aa05b749d8c263dbd4fd04aa5fbc0209b2b427595f629a8188b3d9e3e7c68ac

SHA512
ed7f507924b5181e635dba92bf34d3406713cac12d6459f90cad77862ce57f9d3774a345867dcdb1944febfff18679e7b02655aeae0f18aa99890904d7acdabe

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
705KB

MD5
180a3c0c6f0dc299c04e59a6ffe3fa38

SHA1
58dd8a80fbbe4a2ef0f9e2990243471b0dbf7a53

SHA256
eacd8c1beb7c97757ab9d0d5d8ad7f0fda8ca5d4ebcb6708f891dd689ac0dd28

SHA512
360c32ba1e2462f4a1ef9ba1bd34bbfccf027c6fd400fc37d7e97db170cb4ac8f2eab36af627a61f77cdf33c8499d363fb6d45fd931e666cd993fa80c0ebe6d6

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
702KB

MD5
85d457e094b7a88ab0283050c4fc215b

SHA1
10e1ef10318fe4d759b1171c9c9a2d9c782893c7

SHA256
838cba87cb898fb44bf7dd012787b05226a252791f9a732b386f02fb95d6eb44

SHA512
7bb7bce34680d972c600163cb12e179cf58432d30709a8fb45fd120cd85fcf764d478a3f4339bfb780778a542fb4af8a25c4d9b6be53a9b21170fb0da0a2f822

Download Submit
\Users\Admin\AppData\Local\Temp\_ChocolateyInstall.ps1.exe
Filesize
66KB

MD5
73c63ca80a35bec442a2a722957a465a

SHA1
ccf336dcb0cf296bce6b0e0946603245f2de8fa1

SHA256
c00ab3ae9bb12e64a4c6a92f94ff2ba2f371b9f51b49ffcbda6d9ffa31a081ac

SHA512
a28924efbd960e3167c3aba0da050242c827b5480431db06073f74f8b5ad3fbf4bd578c099643d59b3c53a79c23adbbcc395f259a3b8ae0fc062e8e5a63f5487

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
65KB

MD5
9e6beede2d7c04c3c24ea4bb88acfcd4

SHA1
7cd8bd52ec05c8e393594ed1937b2935bb02209f

SHA256
987749710e1fd756878961c0e42535d768d6669f10fa709028286fdee596c863

SHA512
1aa90061ba5a3b63a711f4a1f98185f822cd132425ef877998925bdc8dbe69e5514ef7a33972441c2f15a6d2c21809dfd978c8f20216b0c37ebef60cdc4301cb

Download Submit
memory/836-8-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/836-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-21-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/836-186-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-571-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2372-23-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2372-24-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2372-22-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2372-275-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2372-575-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2372-574-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2372-573-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads