Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-am3glatfjp
Target 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe
SHA256 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948

Threat Level: Likely malicious

The file 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3848) files with added filename extension

Renames multiple (5006) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 00:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 00:20

Reported

2024-11-13 00:23

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Signatures

Renames multiple (3848) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Mail\oeimport.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Network

N/A

Files

memory/1968-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

MD5 5ded1f5b4c7e484ff8dfe5e960f395d4
SHA1 50feea72b7cf2aad928a1308e7a29b68a08c1ef0
SHA256 3f6d1adb04b6d56366a3988fbb2e53d65aab177d958553881c2cfd182a7c6598
SHA512 1215f125a71ec2d0b250dc4e63d7b9640eb0479da022d78c1b555275903b315e51f11d3db59240c3f9f5d110e64e1a0a16720e678b5508d752335b2b77b30dbd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 bc02ceb73c7cd9459374b14713700594
SHA1 fbebd30536557b7f9526e9fe56b55dfe5bb91658
SHA256 05e7e81abeeb03661a8a93854902661a50be218e1bec83d91238a5abdabea96b
SHA512 96af5d9a717161d9038a0577f7d1d7d7c903b0f85bacb95569d26d78df29007a12477695e6c8389b5e833bf303c5cae1cb6a7e100cdc367bf9453350c9b8499f

memory/1968-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 00:20

Reported

2024-11-13 00:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Signatures

Renames multiple (5006) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/404-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 df9140e027f2ee90918c34fd71ddbafb
SHA1 bae487c703d2451bf9e2b2b2729144494f1ecab0
SHA256 81cb0dbf88078b60492d34c0c237401bf01184e90c0a4db7ac24254d293130e1
SHA512 12c05a546a670608b018cfd4079876b550005207b80ba8c698f15a5f91963cd49fdda3519dc351ce80050b6112578a1a9db17920fd0894cd8e6f13cec26a35d5

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 4cbc3ce4fb7fcff3945eb31ed6c8655e
SHA1 ffcca9584f6872869232b553a711a81191d425b0
SHA256 11b2706180ecc25be769050ec54403e38329c666c43e92479795ec6692ce45e6
SHA512 55224d4899d2946713910560478b3014dea86e1198947e13f5d72803d0540b45da8c1cc23b6bbe4fb5caa5428db6611d27b77da186dbecde708a90c576e451d5

memory/404-663-0x0000000000400000-0x000000000040A000-memory.dmp