Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-yg19ca1alm
Target 292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4
SHA256 292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4

Threat Level: Likely malicious

The file 292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3513) files with added filename extension

Renames multiple (4869) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:48

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe"

Signatures

Renames multiple (3513) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EST5EDT.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Journal\jnwppr.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Amman.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe

"C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe"

Network

N/A

Files

memory/1788-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 51223a192847015e4cab35060f7a1a65
SHA1 a170893513d7ffa8813ea493f5a83090d14e8d4e
SHA256 b662f0047cc009ff132c181a609d5692400704bd905f64273446a7226ecaa7e9
SHA512 89ca4b6e4bf4ebe156e04dea7674d2d369143fd899c016c8c5482ebe69e2be5179d965d9c603d903ebbc1acfc893c7da79d048b127abed4dfd4cac4c876617f1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 1ccaa6179affabd1aa2db5a0a77bee96
SHA1 3970b249b26ec3e662653e3dc1e6250e17c940d1
SHA256 b345d21168502ceae40b9962bc55585d841885ec579276259d9812267d960c75
SHA512 42169e0f21e13854b845269aa91de2c3a4e4c6fc8247943238d07b29a35a9df1dadba52d6bea1e03212d1418c574c5761c89a508af86d9e544528ce0413bcf46

memory/1788-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:48

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe"

Signatures

Renames multiple (4869) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe

"C:\Users\Admin\AppData\Local\Temp\292f124006eb7133136f35a3981736660f14817d2f767d543b13135ded5ca4e4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4008-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

MD5 51d9c4a44953b8f2c4c4d25e6951b68c
SHA1 7b213e0f4142f8f0b76f8264ba65f0e98cd976b8
SHA256 042968f25510425dce4e4d2280c999967c23e74bcab93241f9ea730fea853a4d
SHA512 b57aff0d8b38552a3d5db6b5085f50e532c02d0963cc70df88cafda15a3ec7aaa10001755fe2e58eb7234f049d4da21f9a6f7c5b3c3d9c2a05e6f53fc74eadbf

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 26d54bd8754c143cd0dfba0a767cfca4
SHA1 3f2f98519f7b38d3a022b18e0832b7ec065060f6
SHA256 a7d11a4b5097b7f3fbd99251046cc22e57226bbbb39383e30ca13e9a51af20af
SHA512 92c0fca85a25866c7d3258261e6b7150279899fef053f4ac8646273cbef1347287454890b0dfca7f08c154d233fe712c4948c76b98fd3359d6db67737fcce311

memory/4008-858-0x0000000000400000-0x000000000040B000-memory.dmp