Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-z8slysxbnq
Target 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N
SHA256 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9

Threat Level: Likely malicious

The file 3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3684) files with added filename extension

Renames multiple (5099) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:23

Reported

2024-10-16 21:26

Platform

win7-20240708-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Signatures

Renames multiple (3684) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Mozilla Firefox\postSigningData.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\acro20.lng.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Mail\wabimp.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\InstallUse.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Mozilla Firefox\install.log.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Journal\JNTFiltr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Internet Explorer\networkinspection.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Network

N/A

Files

memory/2276-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 2aa33453e1bac3e3381ab1e39a07013b
SHA1 24e4472620410f0dfd5cd663764bc263b1a28e12
SHA256 a5808ba510606d82107b217efa177c471b88713bc675f0d31b01bc478fc7ed8c
SHA512 77e9a4d161bb0fea3c366e8b7d5e5e118c044ae260bb72cbfe54fca62ac0f44f213bc9d4259d4236580cbc0d06a8785367257186260c5212e48e3642d8c7c6e3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 36d9385f20913365cdade0bb0132458c
SHA1 82385a098d85261d01cf3942e3aa082d1a9c50e6
SHA256 0a124ef96dcd4aba63449305b1ebe0afb6919cc655ef4704d45a7d341957904a
SHA512 5c25fdbec8905b3d5c332518f1b7a39f841794756322839174d6f3551c990d0f4758c5ab4cc677d2183c2bcdda3721346741c3affd8d55290f973fb4b9b4d620

memory/2276-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:23

Reported

2024-10-16 21:26

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Signatures

Renames multiple (5099) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe

"C:\Users\Admin\AppData\Local\Temp\3852b6951b773dd454b32d6eef6621a94dc40e10fa069cdcf48102ba0534d1b9N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2680-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 19e3acd860e08be6ce1a336fe80ff99f
SHA1 dc5caa71ba3449186f510c6b2298a7ff1fb1bd54
SHA256 82f0baf894787763abebea5e6d641c60b4c79e1e9273838df02c9c7846be2a05
SHA512 266f67e5c63e69854030d546f3ae29d3b301422d3e9070d214c9cd009e8f6c788ebacaab252d1a37abbe23d2426faf5fbf3ebca7b69969207574746d64a28445

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 84bca296fad3456434a61b45c0a1be4b
SHA1 3e3850722cd1841421b281c831ff110332f732e3
SHA256 f0e30c020ddf2bb2ed00c3ecfce87c237537b48a72875d86675d5da1d3658737
SHA512 fa52f34527ef0e173031d981f730579ca3d7c71a6581f7ffee1f3fd8fcafe9b718cfdb5de0bbed89c013bbddee15800ff15fe49a26701aece14c11de0c47d100

memory/2680-790-0x0000000000400000-0x000000000040B000-memory.dmp