Malware Analysis Report

2025-01-22 19:57

Sample ID 241016-w2m64svbnb
Target 103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN
SHA256 103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcf
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcf

Threat Level: Likely malicious

The file 103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5006) files with added filename extension

Renames multiple (3672) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:25

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:25

Reported

2024-10-16 18:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe"

Signatures

Renames multiple (3672) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows NT\Accessories\WordpadFilter.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Mozilla Firefox\removed-files.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Minsk.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Mozilla Firefox\postSigningData.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe

"C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe"

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 da7fa3da7183014e82875963e8b89dca
SHA1 246936d0e78f9dfe221895bc5b0cef9713d414fe
SHA256 7a3c61f2b9c3e3f001a9afd281a58bb4964b95c507d1e28e72cba8a3d1054e2d
SHA512 546ecb77c5d4ad6e1a31cc45e448c3a5c8276a1deb4d2bcad5b4dbf8dbcdee62cd9da2df204fa4651b35637c14ceac7702bcd106d9237f83606b07d140476690

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 fbe8b99cb86041224c49758cd78bc9a6
SHA1 1beee85fcd79adeffc3ca6bfea4b46ec23ae8c4f
SHA256 d9b62785199214ad1e67b63980dee12cc8a16bc36e9bfcc7aaf0057dde5b209d
SHA512 e71b289a707fe285102f4e71a01a3687a5bd9ef368b454691e2377aa670be176d547e49d5cf7a4e07c97ef0b45603af5a4b74524ac9ee64fe971800be9f10a43

memory/2848-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:25

Reported

2024-10-16 18:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe"

Signatures

Renames multiple (5006) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe

"C:\Users\Admin\AppData\Local\Temp\103981cbb7016005c5e39411602c0642e2d5c669cf7dc6406e368ab716a27fcfN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2352-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 9e4f54db27943047b93448381adecf4c
SHA1 797a9b0feb337f93c777a272d419583e952859d1
SHA256 a7d9c8b6ee983b8ee9b10b568d3b43368c74f28142fa783df35c82205613638f
SHA512 589a7766af5f89de9aa70433feebac71039ccbf6cb9925f389ee53f2a9eade161714de5b120cb57c8980809ef6964f5a6be1e60bf8e628c7d322bd0af8b2c08d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 98f561d1ad23c8fae13663fc583c2ae5
SHA1 b00bf426403b8bf62ee89eea794fe15b15f05508
SHA256 2ba211075b93f4e1f2c168f62a9b0fb8b4d2a863de95a3731376894977f79e47
SHA512 06507d01da424235c331b5bab05f1386ce3a35e39f6054de5d2d3d228e0eec0fb391a78e2adeef647597eec9662f702b08b62a161223727c95f5e6dbdcadab4f

memory/2352-742-0x0000000000400000-0x000000000040B000-memory.dmp