fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
Size

142KB
MD5

e586b5ff901ff521eff048204b1974a9
SHA1

84f2ca0eca361c9553e471861a29832f2a7bbe2e
SHA256

fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae
SHA512

2b1eec8efd076f02b5b227c03e1a4cf59be4c912ec1cc246eb26b25bd9304a4ad507791fa06e0e26c3ee06cc1dee6e03243ecad2faac987ca265f1c6ffd7a024
SSDEEP

1536:a7ZyqaFAxTWH1++PJHJXA/OsIZfzc3/Q8Q8/8fCe7ZyqaFAxTWH1++PJHJXA/OsR:enaypQSoskdnaypQSoskQ

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3615) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX dump on OEP (original entry point) 45 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\_MicrosoftLync2013Win32.xml.exe	UPX
\Windows\SysWOW64\Zombie.exe	UPX
behavioral1/memory/2968-14-0x0000000000510000-0x000000000051B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp	UPX
behavioral1/memory/2852-33-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	UPX
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	UPX

Executes dropped EXE 2 IoCs

Processes:

_MicrosoftLync2013Win32.xml.exeZombie.exe

pid process

2996 _MicrosoftLync2013Win32.xml.exe
2852 Zombie.exe

pid	process
2996	_MicrosoftLync2013Win32.xml.exe
2852	Zombie.exe

Loads dropped DLL 4 IoCs

Processes:

fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe

pid	process
2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MicrosoftLync2013Win32.xml.exe	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2968-14-0x0000000000510000-0x000000000051B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp	upx
behavioral1/memory/2852-33-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe	upx
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp	upx
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp	upx
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp	upx
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp	upx
C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll.tmp	upx

Drops file in System32 directory 2 IoCs

Processes:

fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe

Drops file in Program Files directory 64 IoCs

Processes:

_MicrosoftLync2013Win32.xml.exeZombie.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.tmp	Zombie.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Perth.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png.tmp	Zombie.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png.tmp	_MicrosoftLync2013Win32.xml.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	Zombie.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.tmp	_MicrosoftLync2013Win32.xml.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp	_MicrosoftLync2013Win32.xml.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe

description	pid	process	target process
PID 2968 wrote to memory of 2996	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	_MicrosoftLync2013Win32.xml.exe
PID 2968 wrote to memory of 2996	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	_MicrosoftLync2013Win32.xml.exe
PID 2968 wrote to memory of 2996	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	_MicrosoftLync2013Win32.xml.exe
PID 2968 wrote to memory of 2996	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	_MicrosoftLync2013Win32.xml.exe
PID 2968 wrote to memory of 2852	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	Zombie.exe
PID 2968 wrote to memory of 2852	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	Zombie.exe
PID 2968 wrote to memory of 2852	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	Zombie.exe
PID 2968 wrote to memory of 2852	2968	fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe
"C:\Users\Admin\AppData\Local\Temp\fafbbd27f5ff67b77105397e1f33e974a296e67f23d0659cb947aec409d506ae.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\_MicrosoftLync2013Win32.xml.exe
"_MicrosoftLync2013Win32.xml.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2996

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2852

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp
Filesize
142KB

MD5
14573f5186c02e76c5ca09d99ef007db

SHA1
73dfb51b8946f0c48016ae280dfb379a9a012a53

SHA256
a07838beb2131095a98befa7fe3faab1e4aeb22f8c53b29a8b07233078341b1d

SHA512
f7a2b57d97942c12f8b780126a20253f12ba53437d8c226b06829b3566c624050ce74e52225cf8e2f717d4a5aee8065218c697a46fe0a97cb64aff49de5eceea

Download Submit
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp
Filesize
74KB

MD5
9dde92075560baaded958c33dd43dd35

SHA1
9d9facb2f94b6063953f731c7eecb49bb1a7a740

SHA256
1d6bac96fc13dfa5bae8f6321986e93e9b1b03a27178202c76c04359214da89e

SHA512
407df3dd5de172cda0379a0e178bebd60a5f4e842414c442dfb8c67a6543a918c39fbaa8a303a1a4427cedd017dbd4fbc4c6746e13497e46656f780614b87a2b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
8.7MB

MD5
e2829c4df806a622716dfe568b792484

SHA1
1bac976e178e5bd605e4396e1d1e8e8993c644f6

SHA256
b5236a32860eb4dca1ff1d66338b9c3f362451cdd8d8a10027f29acabe836e34

SHA512
498a95d626e609802f9541ee40c26adc13b1fac417a4c905f5d2a99346d1cdef7d9761bfccde512c7e1ba6f45284788698174bd9122e194ea7257e5943e255c1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp
Filesize
22.8MB

MD5
156445f7f48a13be424282c311c83b7d

SHA1
00c4fcd84114133855baeac3274a64b744baae51

SHA256
38ad5f6b55b525e201ac705386b129f758863dc1d3b259ccaa5551cb1c695615

SHA512
eacb3e4dfa69af3b9f004a0b5d7b4fd2626d034506b5aa18ab21bc2a9f3c555587416ede9e18d5e5d7f79004559a5df7643264532af6e8b9f989129dadd094a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp
Filesize
2.3MB

MD5
e73968526b3ccb10b34ba0c27f02db1d

SHA1
4f8da512493cd3c71f5256c4426e23f9fad5722a

SHA256
d6bda1e4607daad901b4421a1939d9e71680a244f3ac256aee6d41416d3a6c0b

SHA512
46aa58d2d10f6f1caf6aea62b53268c258809d6c3d48099a2d228a42e90db912f7d15864c0beb2807ea489a90ee2edecb3bd12b2eed9fbf389dc5f54a613be92

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp
Filesize
1.3MB

MD5
07eda51fe9079ec9be4e79576ad132ad

SHA1
c337e1f8a89ac9c06d1671fb5a9010aad08cacb1

SHA256
f1b6a1408c9aed384670f0011199f270f7a1d610a47d2d480e9e1f2b8fdb5c78

SHA512
911701de29f8ad9d74357c684ed9e9165c8038644f3858ede51c052a71987fa99d5865a5bf0241397c4ac49469c1ec12f1259307f2b50726cafbdab6f1efc7d9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp
Filesize
1.3MB

MD5
f839790c64349aa29312333e7f583f43

SHA1
589e5c094f980f7bc673028fade4861fb65720fb

SHA256
0c0611e262de7827a84009116710d613637b480f7b3bc3d19263770a93da8617

SHA512
b07f2944c60bd58dbbeb3178838d3cd0142c7e157dc3ba2ba96eede1f4d3266c0e9f30e6a3789a4cb6f81e71cbdc297af60a3aa7cc694427cb02289ecc49f998

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp
Filesize
219KB

MD5
9732f6ebc9cf52ffad544233acf72bd3

SHA1
df9d81b2d5f8849432e1c1a42d50a4ac5a0ae0de

SHA256
14d4a27943f5e49c7ffefb04b36d3253eddedc8759a3c26e9a84e31ca591f448

SHA512
854fe04544c9e100951b4e0a953cb6932fe4b27564f373839d50ac3b182f69d3fbedc7261013165877ff8ce40476fa907a876cb056b4cb927db50d05ab29b16d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp
Filesize
5.6MB

MD5
2a3c145d21274bc6ef9bc7c9fe3d7d1c

SHA1
c5e5e01cc4933431cdf242dd2cc03ea33205192e

SHA256
926d7bb363a2ee0e3fa7c8b785fcef8fe3802026a9ec14fa97da6ed8b83df80b

SHA512
b007f71713a6b637d2f40c51a15fce40b40711be84b11a3346db6077cfcbb7a5a09919ed46082c2cbcd536ec1cc9b9083719c6ba3e2c4fc14d8c9aee8396b2f2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp
Filesize
772KB

MD5
0cabd068fdc0cb25dd3aacbfa5d3f70f

SHA1
7bbfdf4d50eee56b85741e28bf9c32acb860a0d5

SHA256
9663da20f0d7706b1d41b9fbac2ff366eec2561bf14c38ddcab54be61b0a0997

SHA512
7f3e08ba8c82ffffe71df30d30ebe309bfec998daccdfc835c72f27f2dc9b2ad0c7126535c516108e8d0df4e765c58cc064f57d09d715054fde5b9110afd5774

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.1MB

MD5
6e42cf9cc6dd2d17d8a2b28df30200be

SHA1
9dcc2b358b209474437619065a5f3513d587db95

SHA256
f2ace47830658e196cb1e199192caaa2db3d7d0c0024815e5cd202571d35b873

SHA512
cfc93d279bab1d6c5dbf18bab24c2146b0cd8454c8fdcd66ca2f6a9d57b94f9b42f3cf62bbc543fda0786366eb621382f9412ad297fb6ec7ff0b8a71e4a17f16

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp
Filesize
16.2MB

MD5
e178a54c968348f225267f104448d3ca

SHA1
bd90251510f2bc55083606963aa4808339be2c68

SHA256
154b5b4130b7893b784525a18fb1e5b0164fda8677028c69fb62bc6abd73e3a2

SHA512
7c94b717e737d8801b3b521cef27dd1f62a185163593f42d3dea68ee47f2f695aa650d20b67610005aa01faee77691095b116269f3a3d634a2137a2d6348cae1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp
Filesize
320KB

MD5
7c8fd8e1ffb112382839c27fd0b97814

SHA1
0901078d9e3da415ea2c6cca203766e36f512140

SHA256
b235034432ff83b2ca9deb860e35bd09c93ccb744a3ded2972bc3d7f6cb200f0

SHA512
5e01c6a3ae36e6702cb394b61efdc017821f2d3ccb343ac15cacc1607894f710236eb6c5a31abb3f73797cb4507a7183a434c30fa4476982fc3bca450c87bc13

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
644KB

MD5
48130a318662323ecded6732a8ab724f

SHA1
43b84a9d8c847b0cb1409ad15fd53dcc5eb0cb1f

SHA256
2e8feac9542c883f6f8e131360ebcb9d42d8f23bbe3cf9be3b69c21e910f0eae

SHA512
66789166c8bd3cc3ee6fefbd0df424ed13749b0b48cdef42b6809ee045797f557c83a175f45c1509786aff6c9e8fc7bab19f2358ac955bb0f273c99a2c0c5119

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp
Filesize
1.8MB

MD5
c309a286f09bff46530f7f89486300df

SHA1
395105e9e231b3bb0720310bdb5960ac46a74d32

SHA256
4598f885f1aa12c597d87add0039916b79a3b80c05ceb4f5156eb3d05dd8c324

SHA512
df3cc8f65367531adc0f7c2a5fc8b96b7d6f5d22ce75e698a1873c78915046e578c84479c985c5b6106745e7a152a945bec56b00e5dafc49fcde4629da4a15a1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp
Filesize
7.0MB

MD5
8422b1fc35752d6597534cca275bc863

SHA1
2a823aa086f1dc0deff904b1f0bf46bb894dc779

SHA256
e5a0dff7d072cf98866266e14a4c7d33f09fc30bcdb247089d0bdcf70d67816a

SHA512
17bfb68c6a64fe7b9be577f1bdbc470f360a3a82d7f5392869761c9f517b8788bd145e9aef537d96d2a4ba0c3860f6c29dadb49dc86a2f9c604a9d1c89d99a40

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp
Filesize
76KB

MD5
f8ffe67050c8de1783a9cb4d96a1730a

SHA1
03fef7636a49393820bbe809d97702d7e5f7bf13

SHA256
b59c378f43a6ea8e920549bd22d81a217e29fac9df62cef4f86cc7d6d3bf31f2

SHA512
e0cd4bfc5edc4251d1c21d37937e02cccef61c0f97058d0915b2fea31121f3cf8b3ebb7db97846596c0caca96fd2e814fa87e13818a85f005964f518d97fd6b1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp
Filesize
5.0MB

MD5
97f77193e66a91b572c215cf099f56d2

SHA1
ccd33075cf08582eb4e6becef57173287cae0025

SHA256
ad9c856eccaa52a2408b0fe63810c67c35e4a90de4291fbf17ef9cc858e453e3

SHA512
4277b94a58c5cab6438f72a633d663aab7c3cae90505854c54d37a7111e8b17e06a057cf8084963fc81d6df8e0ed93407e85ddb55863cd4bb39e3fd639a8739e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe
Filesize
78KB

MD5
cf8514c47cd689e5d9f8d1ab6af880e8

SHA1
afdb4208ad3547c733d9a344c78d38b04d5475ce

SHA256
9ce4a137f09982b9a71a18750d3dcd96f9de28d75b90c51e58cfa1a82168fa8b

SHA512
db0ac9632a4ffff4086fb40608167b3dc14df29a8e7acc52d5d6edd6d1d00ee70541b4e3083e3fe1cb15665b95df4e079ebeda0e4ae605e02b0a08fb6d379ba0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp
Filesize
1.1MB

MD5
3226d84ad126cf53da65bf627db1fb85

SHA1
19225699404e31cd5e4bad6b0275eaebc783a381

SHA256
566b194cf51ce6f08f4631b8beae5c3fe9b56d5321e6fce96039f774863f42fc

SHA512
ecea6d559bfe539d821fca4e3737a47b67d23c69b7f4637e0a5e1db0304e0add1e5c3081e858030878cabe1ab3525816520bd9f3c73596eae6e6904291416982

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
804KB

MD5
c6f1a38cbaa04f225ca541ac2c21be92

SHA1
d2c6f189a95d8f1a5a72e35e29ed2deddfc1b301

SHA256
ba4615266d23ae60cac2998f8c1c0914acbcb2e6f11f7dbe8f86d9ba88a48cfc

SHA512
9045713a44c0ed2b3eda8eec0ba5a9eba6a6929e21c223ba70c34b81be813834a75f91cc608f6134e9dc72230fc749b1f547aaadbc2d47cea6ccd341a46e0a09

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp
Filesize
10.5MB

MD5
c81aecaba4c47426f64e75b4fe1d7543

SHA1
1dbfea424dacc0ba7f67f703fb1be9d4d02c7680

SHA256
84bcada10e483cf98ba473a522d46ed32b71a0bd96252184d5c1b1c8f6dcd158

SHA512
7315579480847f5b083d42211702edafa87bbf9d27e2c2a53ebfccfa1ac8b8acf8cdd56e5b67a1bd8cedb58b3fc32db1dfb33d1b03dfa566de9ec7121a24684e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp
Filesize
1.4MB

MD5
e661dc7698021c3f8f5afd4e86cefddc

SHA1
a5d4fac99b5b2c4d9b3150f1e4fdd74144700321

SHA256
ae3558874043b66c1fef375f98bad20484cf5414d293c773433458f310358848

SHA512
00348a88af201c62c0f82bc98d2e2fe1ead81402f6e193d7c615df0dfb00a6a3432b76640f4e3d6e34c16632790fd892ef2c05e8e1b6e0f14a4f8925ecc62258

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp
Filesize
721KB

MD5
36e000b73f6d5bece88b1ed9ec860534

SHA1
2128ff6c67461fa4dc6e4fb953cdcc229c5b1c2d

SHA256
42ba7b19ce6a97f4ef4da2fd0e8645183292ba7e635d8ae5361c4c2202e9f69b

SHA512
258f41dccc97dc27550fc11d5db47872c001c3cc501a7fa8d3256f64b84ccd713747bf3057827b6be756181f1e825c143c3c2d529b4277f066d2566aaef6ca2a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp
Filesize
76KB

MD5
4ef3302bc9cc2b59713f82103eb14080

SHA1
1a5fcd1757ef59b5bfa986285dc939be81709be5

SHA256
5ef76f3dc72c1c9cf4177af8e83e829b861d91b1fba17fd80ef23662e55cd3b3

SHA512
f6e0d88fa0efd71349829ada90ed6bf5723133f7cffa1eb3c52a6b3b58a4e7b6249f5542c0408ad9475c59f84c0f5d83b44a9f72c2e44bc681517ba16a0195c7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp
Filesize
80KB

MD5
853161fada944ff07b12d973a5cc6f7e

SHA1
16951187aee6c9d5d1e086cfd6c41f4a4a71611b

SHA256
9ec8e012b42bc8a6325715cb4615710ab8adc0a3f30a515d695bcc49131bd0d7

SHA512
8b5c87e158cbf1da8f88f22e1525a72a07e7f8badaa4b3f0aae53de971e43a0f02bb36f6f6a21a30fe4f10ab690cba2cd9157223b566963ff6cdb1f5416b6184

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp
Filesize
725KB

MD5
98062f97a680745f9bc8a301a3ebb194

SHA1
554c6262251b13a6e06ff1cd6435b695e4f34a46

SHA256
8accd1872fbb92402951d61464c1e5474211a23b3a1e04a320ce7aba7d4d4144

SHA512
2276766899fe9cfbab61cad8e5e29e1998d247f615d6708e9fabdfae1b84f3a5ddcd8e1a2a7b43d117b6095a49f7ce6f210a75afac381aadf0818f910bef51d7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp
Filesize
592KB

MD5
3e1a5e062166e9741019746c1365051f

SHA1
fedf8dd4871abb06cce58ab66e0172d2cdf8daa5

SHA256
a5b0454695f5dea0b1eec4036c1adbe8e4feaf91f4854019ca2417a6f52dec49

SHA512
c7c9da3b3c81b50e57e64f75dfad124984e99d5fcd455a458007b9c55cd14dea8604dda479df72a2d84d4bf6942192e364378ec8c2328b982536597a21205fe1

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp
Filesize
784KB

MD5
f08eda8bf820a5dfeab32037064b1e76

SHA1
37c310ea46d72dd050b94f8bff2fd4fbb4207220

SHA256
b4f15242745f446f8082f3f1a38d2eacfed6aebd4b0af5bf51c732fc4de0bbac

SHA512
91ab233cf00673c94049a07412e6b1d8da74682c261ba236512f56ac74663908b5d69eb4065e7a3936b20ff6c6e64688e2badb89300736f637cf1400357bb1cf

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp
Filesize
1.9MB

MD5
d8da059e8913c1bc14b3bd60dbe61b19

SHA1
956a687a544244395b5c91c8c69981fb86d814f3

SHA256
b77b8abc8c93d26618f9f250036b2e678174fdf900f64d50e1ff27916103973b

SHA512
2180308e957625b72e54196c382596e1beb96f21a0a2897ac1366fbdfc45b9ea6920a16c31e2cadc9fb8047321e0abae8687d21c78c4a1b3a5058b6321319316

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.exe
Filesize
1.8MB

MD5
111363fe2baa1e4048510527d7b5f62e

SHA1
5b214b940fc5f75660798cda8e4a431b0dfba92f

SHA256
6c93df0c0fadf0029b35e217811581370cd5b149f10f8ec4b0f22458c0b9f4c3

SHA512
5f2d1904c8ac8cc6f427ffc6ea3ad3e10720f1b8c2b1dd6387a8f24f6e6983d3bbcdb5d38c7f5cbed3c0d4b31690e1094cf444d9047e1fccc3b624ba4f6ebd7f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp
Filesize
1.2MB

MD5
14575259c7307e1404d8e478e5f3f284

SHA1
290b5b64654adcf1ee800245aee9c9b229d57e0b

SHA256
feaae3a9b734331581febd84e6bb3acdf4f0bd0c66427e2aa9dbbbe86f26fd0e

SHA512
1c63b5837f4457f1cb73a227f42c969c92029631de8413101b9755c0dfac3533b60cc0b8ee8318b5e245c22352e4cc3c5e8893ae82941fcfb0b997ae77f3c1bb

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
c5bb1ddfbb6508a88b1aecf060507239

SHA1
a201ab7be93f93f7aad4ee6c45cb6e143d2c8d65

SHA256
a391136846e76a11d6b1d61b29aed4f147c7ad31126ed6af44a45e914c228f3c

SHA512
bb9c00e6b290d49feaec5ebed92629aae3b11e3fe7b8bbb26cc151a6da92cf71ac4cb7db8b284d399da659534001d1fa9b6a60bf3ce8dc0a6dabbb6339befbfc

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp
Filesize
1.8MB

MD5
af4fdd7b7b866dd8d3967bcc94ee7cfe

SHA1
3ba1dd81a8950f864d077f9cc7061315f0d6f9e6

SHA256
e403716c676df3eaf42a4ca76c9f9ef11564fca1f9e8d906c9207a3bc03115d7

SHA512
d39d58d67e3e48fd7aef0a19b9f8558217dd7e2919a0260fd7482d5e0eea0a162dcb9c11be4417c3f3b9f6c09902ddbf32b0f6a0aa63119004536c13ceab0a62

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp
Filesize
72KB

MD5
ebf2bd973cacadbfb23fc89fd73a963e

SHA1
09dcd2e72ce5ff1739856065a93838d344791756

SHA256
75df280637496ea0dcfeab44928a1f5cd3c14ba7c849757cb7a05f5d129253f1

SHA512
2b28c103c03485df6a793e6b42c9daf280634ef35cb8d2e3b6a74cfea540b6e0d2b2822b8c687b652061eb38e24b024da12e081eca46f8d812065477b59b7cf6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp
Filesize
892KB

MD5
a7590cfe05a7e5ebf7d3eeea24a5bb0d

SHA1
a4a5d6b4df2057ba447b62f39b7c86d059698b22

SHA256
75770a588373fecf7ed87b34b0b1c13a3105c7e07fbd607c2003eaea74b42aaf

SHA512
c23e2e8aefb5b791564d8a10767206f9b2aa521db3b0ff3724422bbd494538c3e28b62a71b8616b3d8d411dfa2b917b4275a27b589ee8ef2d0d046052cd5c217

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp
Filesize
2.8MB

MD5
d01e5b2f3cc5ab97384a2dc79480eb27

SHA1
2834259e357b61b9873191eaee2c4f521fa4fb22

SHA256
34814be807d2dc82e64014e64cf4fc9b385c831546b4fc98902904457ee2bb6d

SHA512
37e3a8aff2fd796cc6fffd2254b98dec4a57dd4b54f8b3b69eee6911d3404f73cfaa44c24b841ab1c792858685783933a4bd142dbf2c7de5fce426185c0f0f64

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
708KB

MD5
67062b049f76306751430f26d9e41127

SHA1
2f49f27465289cf39b4a99bc3b6342659ad4027c

SHA256
efef22690f11e4b770090ab73abc67ab5cd4bd21ca3ab00018ec18c4fa5f2de5

SHA512
eb06053a8f734a3ec78f82700428d99068ce038778508b334a2007226006c0d504fca763ced4521bf6890e6d9b1146242c14932c549e450b7c4f22a08ef3365a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp
Filesize
708KB

MD5
e7f62b7d1d88bd04e60101b5742d4bef

SHA1
66f05e23e56e172faec5480795d5fc57f04d3f3c

SHA256
73a0311afdf0799d1ca5dc738bc98d92d0986b9ca9048815034a7cd4cf6a5235

SHA512
043a729f3777ba6afcc24bc97ba6790ac7cf59e66c2ee7a8fa6b7d866c93277a50aa02925f1cdec8de0c9e3a10557aa316e0bb264df1210b867b59e6f1365d25

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp
Filesize
75KB

MD5
2fd2fdb8b346acbf510667de890e0a5c

SHA1
ccdcb837c48647df8aee933dbd7157259b1eca4d

SHA256
f53545c8d3cfe7894c500f56becdfd8fba661f1094ad0ea4c1aa79e0b863dfda

SHA512
e14c0c1eb7026acfe31f3cc927ee8aa0e79d7973c09808303584914420eeb81e7a50f684b3721e1ab31546c3dcf2f51cc105ed8a650e3215fc87ad18bfe9ff3f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp
Filesize
83KB

MD5
5bfa8660cd19e39d69e33de6154a60cf

SHA1
e1a1396939c9742d6905ecf6afc3e2833176068f

SHA256
46967a86512665004ca11853fc27bd219cb7e9568f2650678bcfba24fa48ff39

SHA512
aafd63fc1a3dc511e890dc4dfebd27ecaea708f17eefbafc54320bb3765e48e462fe43216ab25a83af7b735bc1cbac627bfa9ac34629acbd748676fc284d6b6a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp
Filesize
80KB

MD5
a329f285eacd63e6dae0ae9e3a6c4ab8

SHA1
df8c307c48b6fa463c8e64316ad68a7882c1f567

SHA256
59dfe03935887d202b8006a13ca56d4d9228e0949d2d0c32cf6000f739824a26

SHA512
c7dedb846095bd12fa36661a9cd532644c57dd5f6eab522e16e6feecd2088c7c7d4aa9a14cb5fa5185b4dda1924323cbb61503ee71918501155c96a15c5a763c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp
Filesize
587KB

MD5
b307cc26e0f25657805c131a88320cc7

SHA1
19b42bb6df7ec8cfde60b33282bff6d09bfd2e0a

SHA256
50d463dae61fb863565702190767015b6130b09ff5d9426ab8ff4391dbfd637f

SHA512
7d28862a7812ad80741b3e435bf94f7707fa88d5397cebb577b2ec50116275f72f0503152c159c43845fc3259b71b631a683c10fd6c5a855188da7a764a4b675

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp
Filesize
581KB

MD5
0a401b5a346e4c7702f67a595c34eca3

SHA1
af4bc1b7fd945bad40d4bfa14a4e31b280b37a11

SHA256
a60d1a7f021d6114969d1c6ee4d150eca750b3cf3b003deb36bc75b765ea9d36

SHA512
cffbbca7860101af0db86133b67711cc831e3cf76fcd0e104c48b2e8d612dc66319a69753b5fef865143a8fa8fb324f06ba8aadec429cc3c0b38859febf65fc3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp
Filesize
714KB

MD5
5ca50b887780e7e366812190b58ddce7

SHA1
e18e37e41612abc8a20b0b5b5604364daf8fe906

SHA256
9c166def0a2fa344fae2005130fa971067579ab25d459183a91a922f0283d9b6

SHA512
cbd18da6243d1edef14a4dab5b83014bccea3a6dae52c4dca1f40a73e1b4cf0516a62c66033b0e9399d9c3732bb6c6a1c2970e7e391a58f49c38970a1314090d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp
Filesize
261KB

MD5
8a958e4e998e10d7d3ef6f6054d610d8

SHA1
ab728dee216d032b35d44588106fdc9e9dfedb6a

SHA256
781c02992fa29d9691e0eb1fcafadda367862d142fb70dfcfcf817337120ee8d

SHA512
c552423f7c919793807565c3f34ce402e728fede744fc081ad86203205c48976e1adae2e2f2fe8258fee091271ecbd7801e8280e19112a068e1cd36754090878

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp
Filesize
72KB

MD5
3ffe3c1a1f3ed7086b32fab3d6a266e1

SHA1
a8818ce80d371a0a48d658036d47a45c0e3492df

SHA256
6248259b4e04d8b74594f1716bffe1456324c0c895c0f0083d6af3db83fd4bc7

SHA512
78fb859f1ef37b6c08100a8fd337b02bbfc4389293f1df1e6aa1ab948a86ffbbe73c480ffa09fa502c0d3cbbce88398a84b07cfb4a6c3b122f5d31024d37771a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp
Filesize
80KB

MD5
ddad6811c8091f99d4d1cb1da64b2b99

SHA1
7513f542c0b1666cb6be98270892f5f805271183

SHA256
c1db8eb90c7dba39f619efebc00264e0ddeb491c0b300238a41edc72d69b86e2

SHA512
ffe9fd6ab9bfd75383e580b0b13ef0b563e7cb8c608aa069f6f074ba5dbef6d4a73ed563adf70d81998f4aa327877347b152203546d045ab65dfc68fc5cc614f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
76KB

MD5
1c7b3e9fb64c256eb15e2322fcd37e7b

SHA1
165f078e01d4ada90bcb63b9d371995951751929

SHA256
d15b2f19eb2fc8d983ce37bb01704890ff02e8293a514bda9ec94ad8b363e54a

SHA512
9dbc3eeb2473fac92c56c76df9deedcf6016923a89f86522e92b9e92b1136db66e4a2a4cc36aefdfc03c00bbf336df1954319255a48f2d3ca42bd64a14f29161

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp
Filesize
712KB

MD5
6009e247d1889767b02e58b7b8b93b71

SHA1
e2109e46892b5efb7086a9ff9cc5829cae0ede68

SHA256
8255fcfe142aba9862cdcf64a3037cdd63abc46df0a821d6285c939f011475ff

SHA512
1093144ec60f70852e53ceb07fcdab2b047a2b586a1c558475d1a028087b519b4641d60d3a5782048fff52cb15c31cdc6d992f8821e9ca7bd911510218438193

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp
Filesize
708KB

MD5
17156cdebb7a7803d8d567063264961c

SHA1
6294804eb5f199979e3402db872fd7b2a6d21be9

SHA256
5e47c86c6ddfffbac3d35a221e9034d4254cdf72fc0596bf4d753f7d924984e7

SHA512
787c1c0a7b65489bc61725d7b2aa6b93e9f9919bc2b5e925a1786b155f00afa0f02783cdd7d7be0eb65e02670c220b0916c484aa79001dc145c1a45f3e01c7ac

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll.tmp
Filesize
131KB

MD5
80d42c71d58311211912cc36ac78d6e7

SHA1
8463032b87ae2f75608c2c018809ea938861826a

SHA256
e971fbb749cb70bf58f857ee21b449e1e94040576b6169530bde928cfc7a67ed

SHA512
6013e986f81d8df51e27d9295a124309ae0c373fdf6eb05c8fd197fb007361c17aa29eafcdc3e20115191f85f946d2dd2429ff8f7435b31fab9afcd070f690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MicrosoftLync2013Win32.xml.exe
Filesize
73KB

MD5
b0d2c13b4b18574d8775e0fc337800f9

SHA1
ee66da2115760271bbf283063f0f4e19749ea8f9

SHA256
9a7b13fdbe55396d1b3f93d8c4808de00f2bcd7d8d430cbd12be7aa80363573f

SHA512
a02bad3226f8aef19d466ac9a94591d949ce18613d0ecb6514e78e401b8b9f53de8fef14a98449398d4f8a22a4141c42d8d5b3d1eb64e77595e0de63200038f0

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
68KB

MD5
91f391ac2a22651f5693c86bf4b88f73

SHA1
c1b8e78c2588b80ae8e659463a723c0ec89850fc

SHA256
974a49889c81eaccc38290a2f90fd158ddcce6a29dfff066fba90a3027354eaf

SHA512
a8979e6b9b7642c5c6f4b9b92de3fd5854362af9ed5bbc7980cd61c8c18d0d8a17be34c81605bc7717526c78c7763541b66fe5a5b5b5a9c2ce2fc9a36ba106cb

Download Submit
memory/2852-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2968-14-0x0000000000510000-0x000000000051B000-memory.dmp

Filesize
44KB

Download
memory/2968-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2968-15-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/2968-13-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/2968-1093-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/2968-1094-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads