Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-ynh2ca1cjp
Target f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN
SHA256 f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04d
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04d

Threat Level: Likely malicious

The file f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (2922) files with added filename extension

Renames multiple (4361) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:55

Reported

2024-10-05 19:57

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe"

Signatures

Renames multiple (4361) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe

"C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3304-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

MD5 848dff4e6b198f082fe076549297c206
SHA1 a3a17b841fd83f6bc9bc31acf62bac2aa6f1c3d1
SHA256 49b217cb15c48559184613fc99c8ebccac17a69b3ed521407aa2d1e422b2b244
SHA512 3e760e38fc5878c4bbd4ccd5e4b8ef8df891f3da9036e4a9fd0064d3bdc1d561e723c1eaf5d41271877f6730d716249de68982555c372399be02ac1d77a34d66

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b555d70c3fb19ceb5f0063b8f923e196
SHA1 86451f2166c58832aa46bd43de15c98408ee6537
SHA256 ad447b5d1c05b7f1897c78e6a0cdff3fd22a24130eb0ab0d707200b6488b17d2
SHA512 5a9e140613df1b813d20f54cb4f9a6123c2ab2e1e36a1782ad2fd9e347613445a3d315e7d0265747dfc105854f6e5582dfc1baf33108b3871309b7bc190b7b67

memory/3304-846-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:55

Reported

2024-10-05 19:57

Platform

win7-20240708-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe"

Signatures

Renames multiple (2922) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Merida.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.tmp C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe

"C:\Users\Admin\AppData\Local\Temp\f91a3ab4a77e9a360a5f6f7f8cff36b75905526a33e02d167c9665ac99bbe04dN.exe"

Network

N/A

Files

memory/1620-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 c1e35b70b2fd170e6e098781d711b8c1
SHA1 b9e2acd5296a7d638a0826f27b753f9e74075e4b
SHA256 16587209c2784f6176276a49ee0e63743ed2712b72efaf92eabafc347dd4b819
SHA512 42882abd277571a0fa5a2b4dc0f74928a0aab6b119227392965312400ec5ec58460e48dc818b281d50f09909ce2ed1bab1862f1e8f5ddc6daa48f78a6251ee2a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 43001fdd6fb11b21bffcb0048ff0acd7
SHA1 0f3c222211d2cd7c29d38b04b5298c48c41edc0e
SHA256 8e8499117e0059b6129fe034192b52468e4c59f5a165c8692085295fc3f45ee8
SHA512 5ad9ce54ec49d62dc5faad51d9ddc0b15607c0bd878210834f03fc678e4109023d976a581a1dd58333a15c20b6b6b8e239f28d8c34a1e2554cbae0c8e007d01f

memory/1620-74-0x0000000000400000-0x000000000040B000-memory.dmp