Malware Analysis Report

2025-03-15 08:24

Sample ID 241020-zdbd7ayele
Target 323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e
SHA256 323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e

Threat Level: Likely malicious

The file 323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (511) files with added filename extension

Renames multiple (4871) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 20:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 20:35

Reported

2024-10-20 20:38

Platform

win7-20241010-en

Max time kernel

149s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe"

Signatures

Renames multiple (511) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Internet Explorer\msdbg2.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Internet Explorer\ie9props.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe

"C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe"

Network

N/A

Files

memory/3016-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 e7e1a3314edf4304e60931b85310daad
SHA1 4cf1dae05279625a21b7427c0df8c82bfd229110
SHA256 944fe59486c37208fe382ab7ddf1bd40eff848987b4fb3e90c7f2286251e7fe6
SHA512 b20a5cae76c7803f4de54d3d75b9e08c486cd370bb77b354939b3a74f3b32145af3eb7a1ee1ea3199541ff94b51ad78b138352d32b0d5a64a9dab028c82615a6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 fc69dc86a1d500c6efd172acfe206efc
SHA1 6e059238243004423ea69edf0fa908ee42c49728
SHA256 2c756b8551106dde2e437549c03be8456be7ed6e149b4952ef383739482f75b0
SHA512 4839171ba36589417ee4163beb6cc46203071a9fcde5cf2340e03bc31509022974e75df0efaf03dc74d2729777399ca81152d6439b58a2b7b836f4f27dd06490

memory/3016-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 20:35

Reported

2024-10-20 20:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe"

Signatures

Renames multiple (4871) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe

"C:\Users\Admin\AppData\Local\Temp\323181a875fdab8120034da0bedaeef45397a4c0e7233e171b99ee030d6ba12e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2396-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 4db30db1650f00940285e5282c89f844
SHA1 b026b9f5e08c1deb8d9ef5e2b4e38b2313aa3cab
SHA256 36823ebb80896ecba10d1eff59f589ac1a003b12c0b408824fd84c587bb858ca
SHA512 2c60369ed3778b409a29fc5b3e51de9b42cbce18e49cb0f42be998cafbd23b030be134d4ca23e61f2dfae8fc3458e7c85529864a4bb47b478ef90b1477139ddf

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e2fd62434b0d61fa140a71020039ea91
SHA1 e0174d9d0e922de1b222debd3aa8eae6102ae67e
SHA256 c4ed9a36b820019a400eb2b0a01a79227404b470637f3dc04ee60d86c79327a7
SHA512 b83f50962596644ef0730c47c083a5266fb4c28579e352495126ea4939b0eabd8a9098fc1a58a4fcdd47075ff6e817608e1a9e1a2161c342b29882de925486c9

memory/2396-660-0x0000000000400000-0x000000000040B000-memory.dmp