Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zg85ma1hkg
Target 5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39
SHA256 5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39

Threat Level: Likely malicious

The file 5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (645) files with added filename extension

Renames multiple (5030) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:42

Reported

2024-10-16 20:45

Platform

win7-20241010-en

Max time kernel

151s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe"

Signatures

Renames multiple (645) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe

"C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe"

Network

N/A

Files

memory/1996-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 49dcf6242ec05f293a83981c07d178f8
SHA1 02a73059e485d9808829612ee0fd29e23c4f9aa9
SHA256 d8a32446902e7c1d155dd0addf6f7fc9e4e915901d90733f9127c299ada13809
SHA512 faf37451f8c86f7b7d719ab931e53aadc78b9a2c019dc775935355bc380c710c75fb933218d8800ba894d01d04d45b28588a7ee0e1af796a04f9460408543cdf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 297e56b891326b055c0e39ac0ec70fd0
SHA1 8627b3d1b3feff9e85d9289acac6cf5049d3833e
SHA256 0f3edf5705040d916c4d8402bc661fca3a5837a5a759e725e5c9425149cc9e5c
SHA512 e75c57e36a6c168532aad484f4278244de17e981e8a45ddb1a8f3eb257e7f693ece40119ccf72765315b22d4932c719f2919bb554191a0005739d145baf68635

memory/1996-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:42

Reported

2024-10-16 20:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe"

Signatures

Renames multiple (5030) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe

"C:\Users\Admin\AppData\Local\Temp\5043ffb38ffcaa43f1d30dfd14ddeee6298fc8eafc1ec15881405e78969e4c39.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3516-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 32366fda158e13e835c7bc0e64d04e7a
SHA1 0fc9f501fe216dcd2496b501decacb19f9a84118
SHA256 5410307323a47cb7d9f4671e9b22d8739562aa8a28565be1e506b8158ea23d0e
SHA512 eac1237c6b467c9be8aa89211091d465937ea23b96e0f27a12e34f46a6a754025d411778ec2d29a90f9f2771b088320abc6083032b0a75a3e629de7c6906d432

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2d26eb36ed7f3d2cbecf6e5453e6e53a
SHA1 6596e26488530928c678e2af71b9a3fcbdca7009
SHA256 13b3c034c7ba808d3780e7dea19b23ddc4c3ef28d3e405b93a8d50987dffbba1
SHA512 63678338d4088728aaf78031cec5b9609884f37dfc053a7b913ec0afb29d46cc9bec6520b8ea1bf577ddba9f6ca794c878913054a7cad9a6012c6b37f08a512e

memory/3516-666-0x0000000000400000-0x000000000040B000-memory.dmp