Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-z37hxstarc
Target 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N
SHA256 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9

Threat Level: Likely malicious

The file 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3163) files with added filename extension

Renames multiple (4619) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:15

Reported

2024-10-16 21:17

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Signatures

Renames multiple (3163) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\UCT.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Thule.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Network

N/A

Files

memory/2756-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 da1b87a02b291a499ca289265370ae77
SHA1 69cb1655f60e3cef572de3c95154ba4ab6be2b9e
SHA256 6d62beea8a21d6168b92de431186296c25a60a68076beb2a3c3ea33c134712f3
SHA512 a13c36636530a0219f28972bfc63cade4cbf036522a4552db64b3260bb64bf6391031b5c265805fa2a54d48729821feb9b2208341064a6e5928350e3f2175d40

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a12b26cced634f475bf618cc83d91278
SHA1 2778063342e60ae163ebbef220620df318f98892
SHA256 8068d52644b320a886f5c09785bd2cd8f471e84bcf605b11575a228f1ddd76bd
SHA512 323f048c0daaac66e9adc6f96d0640fbebe6c68ac75580ab4f051b6b4b15cce4fffa66c04cfb2285bb2741aec1c00229f9c3601c61a40310829c30cd6ff30916

memory/2756-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:15

Reported

2024-10-16 21:17

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Signatures

Renames multiple (4619) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3984-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 be3fed380a7e33b447a79f5267cbe12b
SHA1 2dc51f528f528e59b7844bb1458d6057071d7471
SHA256 4c16fd5eb8381048b964b643649a23800daba8ca1ba70b1e1691d3bd46d672b0
SHA512 f54557c9a9e1e5efef802975b26430c090df04ac3ae17935d0924fe7f51b7147d8b75d04351cad72e87a83c767b5aa3b598e917e13a0b37adac2b9fd82fe0409

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 7643d5999081e3065a9b4b177488bb20
SHA1 75c1129aca913ebe417f923794e4894767603ccf
SHA256 3dc30f2060e4845f0f7a4bcacd03cf92237c9f4174e36fedc650a390eecca8a3
SHA512 d5f8936fe774f713fb4d06e401d04d99ebf193bdb5546806eb782044765a67e58ebc21bc7108523eee7bfed784f875d189678255fc617be87aef32ea12f5a50a

memory/3984-748-0x0000000000400000-0x000000000040B000-memory.dmp