Malware Analysis Report

2024-12-07 10:07

Sample ID 241112-zfevds1cmr
Target 29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c
SHA256 29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c

Threat Level: Likely malicious

The file 29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4109) files with added filename extension

Renames multiple (5247) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 20:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 20:39

Reported

2024-11-12 20:41

Platform

win7-20240903-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe"

Signatures

Renames multiple (4109) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jre7\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Internet Explorer\msdbg2.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe

"C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe"

Network

N/A

Files

memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 afaea7d380f06b237db86e9276c2b3c4
SHA1 d25bc08dc83308650d7cb37e110f48e34a9a16b5
SHA256 75c5217b146cf88ad1decda8db2ab1c5871f6fc9653c2a588789652021e89d1f
SHA512 61ad8cbddcaaacd01963fbd66e3bfb30887485f4a443a7e95fd18354ec1e93f67d0c9535933dd7a291791ad36876fa45ce6404d5022317b48e306f71ef15f2ed

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e132368adb4432fabb2ca4d53d5e5bd3
SHA1 f63c6484c4fbb18e38308def4be3f487e81bb919
SHA256 e52055ce0e7536613ceaa273b5d7d258117945385c491d05dc752c8556c17d1e
SHA512 d09a3cabc6e52f6503c43a5efbf4f19b40a57b307299f91fdf0ca0c744302171920017b2b3992efc8360171d579e9a590a1862c9babf61e3a541babbdea52876

memory/3040-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 20:39

Reported

2024-11-12 20:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe"

Signatures

Renames multiple (5247) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe

"C:\Users\Admin\AppData\Local\Temp\29e31ebff3e8299e0a1a53264b207bf5660787b88c39b4a71b34e799c706f77c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/764-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 daa2b66c3f4fe83eb7186bc007a70fce
SHA1 eb41f47e14afe32f022ad80626dd330c7a5ada1f
SHA256 c47d9db5cc7cb13557a4a0bafd6793ac8c7e4d5fb84b3da0a63147683d6aadee
SHA512 49e445728150ea26dfa849c6d9206f7d69d42904f68d9f8f35a114dea030885a9d0afe880f79b15994409b555d5ad11b458d9c7a96aa52a773c56f5f38312bf8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ee3c5ca5dd9534c90493017f3f626566
SHA1 3598c8d578c0df043925199a3e166829aa385f03
SHA256 ca28222c0617bde9cb7e3d252eac60accdbef8a150b69fc3f0a58dd6a1e94841
SHA512 022f18b75bc1239854a56c85b91c0f6280861244d65d7f0a351357d4f925cbde16460c7265c8649323f9d368e99531e3bb2394227dc94a1a5c3486b840e075f3

memory/764-794-0x0000000000400000-0x000000000040A000-memory.dmp