Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-dar2wavcjc
Target b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN
SHA256 b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38b
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38b

Threat Level: Likely malicious

The file b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4210) files with added filename extension

Renames multiple (2838) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:48

Reported

2024-10-20 02:50

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe"

Signatures

Renames multiple (2838) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Samara.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Internet Explorer\perf_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cayman.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\MeasureSubmit.aifc.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Monterrey.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\St_Johns.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe

"C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 783ddae08bb15f5bf9819e32570ba558
SHA1 ff61b39bad63487e0f16ef90f2e0fd5db7935bba
SHA256 3e1f146a40a8aba05332ea08abf2ab6ab5b53f80315705db632509c0e9133bb0
SHA512 7fcadf8d29e687a5951c860e3cdf90fbd5001848c60eaaddce2e97d1d945a1df1bbdde0adfc099c801e115163f82a98d6d0db99dcdb31bd173b069a715e220fd

memory/2272-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 cb5585e551fac8414489f7bd8684d3e9
SHA1 4e5e067a4f7e7cd282bb37ed0fdabd0cdefe79ba
SHA256 0207a90424a813d8472bee0d28d865f68a30deddf3d3b6414bb1a99316055cbf
SHA512 b0c3c6e1778e6bf771f04c790678f2e8942cb5dabb3d43d1d11df947a9a1ca820541662aff04653f5e849d542d2f2eaf89b68fe1b5fddc149a6e75a7434b6183

memory/2272-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:48

Reported

2024-10-20 02:50

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe"

Signatures

Renames multiple (4210) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe

"C:\Users\Admin\AppData\Local\Temp\b5d36987d3a74a9f1af4e705048e3212e3d1d19d54c6ced1326311de298fb38bN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/5032-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 bf5e9b27cd28c91cbc9691cfb6c3a183
SHA1 a188f6fee6bb40d1a6be71ec9f3cd9645f0d48ed
SHA256 3b4edc1aeb5c8e2cd9fe0a8b3deaad96f6468c8d6845724c7ed32a42cc286f8a
SHA512 d5fe3f234812763e72d6816d78c2239038dfc33ac594b5477dc6c13589c4f6b53113bf84c9b3b583521104dfcda3f6389334f764832770dd295752290fc600fc

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 16b8fda39595ceabd9f2f35881e6be09
SHA1 aedc6e0b2ca039183125c09d641a9b75986c8e29
SHA256 ebef8c9ea6741b6694ccbe128b62bdb98890d2c07857592a4a109a75ba24e15a
SHA512 1145b99bc97e55838bb816e11429e7787f79df8a79c954033cac295566c4699f26e27458a21916c6eb2776f2d8d08a37f4cea67f8bb6cbdd7111906f7a7f9b5d

memory/5032-656-0x0000000000400000-0x000000000040B000-memory.dmp