Malware Analysis Report

2024-12-07 10:06

Sample ID 241112-z56z6szraw
Target 3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e
SHA256 3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e

Threat Level: Likely malicious

The file 3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3566) files with added filename extension

Renames multiple (5116) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 21:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 21:19

Reported

2024-11-12 21:21

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe"

Signatures

Renames multiple (3566) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Journal\de-DE\JNTFiltr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\JoinGrant.vb.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tijuana.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe

"C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe"

Network

N/A

Files

memory/2340-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 03ab87f1cceac018545825e1031b5703
SHA1 a1df1cfe64e574f9a167653828edecfa83e929c6
SHA256 dce95225f65a67e231e1fed62527726209a0584ac8e76119eeaefb0368fc9c17
SHA512 67b398e2bc5949c0e6efda8e83516d3ec80e5f311fe55e12595c181476d10d0081d70d8bda74a6823f2d489bafc03fa8f06ff61a995994a6b4a3c2d0a26a2dd2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 477c83ec59dd408a565248019de1db48
SHA1 61c53e05866de23e17cecd028ea90a00459ebfea
SHA256 7f77f1a3439971b28b438559552c073e8ed5fa1a30f9e73ac6a5e2ae6a1f4fea
SHA512 9c66bc35beb86db917d126691075b4c5f5f3b43df66477b53dd4c6efa16a80e9107867075cbbdb70a05b77d3ca261215f5a7b100d6b9295446180f8eac031f07

memory/2340-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 21:19

Reported

2024-11-12 21:21

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe"

Signatures

Renames multiple (5116) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe

"C:\Users\Admin\AppData\Local\Temp\3ab1ca7cdf77afd6a82de1e72c1f6c0293cd93a1d99e2d23d22ab63869d1342e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp

Files

memory/4892-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 0ef31a5c39bede14fcbbb14b89a8725a
SHA1 6107d22fff6935bd58918ea130c07f1ae43f5abd
SHA256 30b39b599999517eab1a3086b23c9d88e8913132bf8c38e414e9acd0273368e5
SHA512 5281c95f1bb17b6d02fe779194637286c3e60003d0f04d6e103c333a369a39816966c5c0d093279577574e1d996b5f19afeb29ed4854d6202fa4dd8697ccbc6a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3d029efc43ff659dae87cd90164c0abf
SHA1 98d0fe44e0b3eee51e23501bb5827e71eb29f9e1
SHA256 bebbd654b2cadfc906180209da17d730a525ca3fe35c1d907cbfe182ce368d07
SHA512 fbdd213e0895fd32ce4143fb7d1e6ef59ade116d004d8066e00bf8924a34b0c558dc8286c39afcb703d21d4fdf5d624069348979359e71e8e2257703b4bf0a2f

memory/4892-785-0x0000000000400000-0x000000000040A000-memory.dmp