Malware Analysis Report

2025-03-15 08:25

Sample ID 241020-x7sjfswdkd
Target 870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N
SHA256 870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4

Threat Level: Likely malicious

The file 870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4613) files with added filename extension

Renames multiple (3164) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:30

Reported

2024-10-20 19:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe"

Signatures

Renames multiple (3164) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Internet Explorer\pdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Rome.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe

"C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 782e940ac22f0471e4953b16aaa6d2d7
SHA1 eaa6f25021c63649a30a87b490dff6f4ec93dddb
SHA256 eb9f6b4f4350409ca555419d0a7fa70c27d71d1637e93d4c27e78f362c95bff9
SHA512 b05954612955bb198c45d3d170810bc4ceffb1803892214eb4d72f0f62c81d0c9ca9df156409cac5624cedb358756036d81308e0df0bfec115bc8ced19247c26

memory/1616-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 6aba3dc7f1d6ee8fa8bff431e418b33f
SHA1 7c26968083cb340cd1d673b15015470d3fd1d717
SHA256 8aa7515190c81bc5a66ae0bcc5786e222c230ac66e6736d0e1037deddeeea1b2
SHA512 918d0f573927e54fe82ac5e34856100415bcb9df359b8bf9dc246e2c9ba5cb5b38837ddf492f8afe26a6eb0945323ef1ca0d91b7bc85aad7c56ddcf641012eda

memory/1616-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:30

Reported

2024-10-20 19:32

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe"

Signatures

Renames multiple (4613) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe

"C:\Users\Admin\AppData\Local\Temp\870b0e67bbe98778edd69393ab4efb9fa7542637eccd5f32ca0f006af36937a4N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3592-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 61d6ddea1464d9fa1163d670dd431beb
SHA1 e4de39c8f07e8a3487a34de7747f49ddd58f234f
SHA256 31024d1a5c74c6b1bac38013bf4c79b25c105650bda84dc1bd04dfa38cedb841
SHA512 ac9b0d3d7e662e63df8e874ab54bfc66db00a6c00cc2bf90eaf093fcc55634750e41d3d2113500bdd29b8a0b2fe3769d19d3739da3ad5dd76bc07d22b261d3cb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1767fe5d4e3a0059bc792798c2861c6d
SHA1 5367294ccb1ad43df8044f3f1ce16de83d995a2e
SHA256 42bd014c8939534a880d7caf0d59032f744df679cead3d9f6b7695e1a5765314
SHA512 9904d59e7e0f7a85ba1b046dd70a65d86acdbedfd660f0646ebfc8004689d4715e25ddcb2b72168ff0498295a1cd61655852e74aef2539601301c10705e40146

memory/3592-667-0x0000000000400000-0x000000000040A000-memory.dmp