Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-fq4fysyakn
Target 25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N
SHA256 25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136

Threat Level: Likely malicious

The file 25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (5008) files with added filename extension

Renames multiple (3500) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:05

Reported

2024-10-16 05:08

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe"

Signatures

Renames multiple (3500) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Journal\Templates\Genko_2.jtp.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\DVD Maker\sonicsptransform.ax.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Vancouver.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Kiev.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\common.luac.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Windows Mail\wabimp.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe

"C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe"

Network

N/A

Files

memory/2548-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

MD5 1789175881fd3f8cbdc6149334e61653
SHA1 c8fdb8dc11ba549aaa89802af682f615410fe624
SHA256 6d72f399d2cf2126e491b16ae5909277b7ebb8c7be243883b3c56d99234c5d95
SHA512 638a716aa42e9cecf0006df9a87408e70ebefd89ec83d225a4b5cb56ee05c12cb93684267bf4d871a4084f61d680fcd7da3780aae5e1972a6aa19fe331c7070c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 1a4c94a319576fea73db06917c709bd7
SHA1 02bcb1da4649a34cb8a26f3bd9cc629328f8e9ad
SHA256 0c674f3332e2e4829a8ff5b0bb4f6e7574cdc1c25cabe0fefb7594be263c919e
SHA512 54588d1d451729b70b7c8a50ff8e6edc816489868a666134f3df6e5c7b4529cdd1d211aca96cffd9e4f7e1cfb59b28abee81580f15cbbdcfc8a578f998ff32f5

memory/2548-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:05

Reported

2024-10-16 05:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe"

Signatures

Renames multiple (5008) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\EditTrace.mht.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe

"C:\Users\Admin\AppData\Local\Temp\25021329468d62fb2a64646e94e062de280d242c4737da0884492d575ffcf136N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2632-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 f2b3f1f1f10b41c3b0139a47e978125b
SHA1 473b8a31836d95393f75681edeb117aaed733365
SHA256 0318e32ebd7ab989abe962e7a1e75837ee9ce54bb5b1a0c40cd9817c82f8cecc
SHA512 51e359e3c241e832169c1bdb604f09fe2f76f6b6b396196be2031b6bd965f1fc0eb4edc07900f60d9620c957bdb50d5c45d10f0fc6de8ed5add458de2fdd18aa

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4300512165d0f51c1ed3fafb0ea044d9
SHA1 6328a58ba27a50a687ba44d4c35279201d7301b7
SHA256 71796726e92be6c6b9ad84f69d1b64f8eec0b02465685a461718caa663ad6696
SHA512 94ce8b3128b516547ebaaf409d157bc425f16bff84359e085ee4d8d40a1f53db52634bd2642cc9fcc359bebea248a99c2e4e663d2a72a04dcc3d776459d9f9dc

memory/2632-668-0x0000000000400000-0x000000000040B000-memory.dmp