Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-b2hleavakh
Target afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28
SHA256 afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28

Threat Level: Likely malicious

The file afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3681) files with added filename extension

Renames multiple (5013) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 01:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 01:38

Reported

2024-11-13 01:40

Platform

win7-20240903-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe"

Signatures

Renames multiple (3681) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Windows NT\Accessories\es-ES\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Currie.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.ini.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe

"C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe"

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 e85d37450603fad46b270d0b84e1a67f
SHA1 5e1aec2c27e083418601e58bc22266ddbc1f2155
SHA256 d068bf42d22ca04bcf8133c4085553180f94a4effac872eebf3e78552f5472f9
SHA512 768c739a2d0d2a33fa10e7bd379012073ac4760addbac8250487be0b429bc646063ef1bc85b23baafa52409a52e34d0709015318d0dec6f3841b68d94cc5c94b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 c13ee2e5e53b0748440e383f45624da2
SHA1 2fca36f8be3fcf37ba4584a43ee16b089df035cc
SHA256 34949024d2303fe36adc24862f2812a41dd7a0a08391cb29f3c7de6dfac8113f
SHA512 4c3ce8116b058ed57cf32862a0de5c765e11a14428a2b15d32165d8dc7fc7d2e88625b981663e18e5cbf20bcab65fe4b94ad75251ca0448d9b5da446aafc439e

memory/2980-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 01:38

Reported

2024-11-13 01:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe"

Signatures

Renames multiple (5013) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe

"C:\Users\Admin\AppData\Local\Temp\afe806b253e3469f8d690df386cd940c4917cac570410c7151e5cefb515f8a28.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2184-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 32dab7c19bb5e17b3d0cbb6f03ffc3e6
SHA1 551c1fb49642bd463f38dda39404bbe43fc43f75
SHA256 f432d47b5da820250e40d42056fc2c6a12af74b8e85b9454f49299ff00510966
SHA512 144f1ced9ef79db196bdfad24559911678c15dc67720044175ed8626e86a2edc20fdd600827a621460832c259734d288490c99b8ee59862bf5a585b1066e320d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3669fa4e4e5afbe45563fda72ac15faa
SHA1 2871b5e2f0daf92f0ddf56d3009a1fc38489938e
SHA256 9ffb3f95e58ab9de752b92bb1ba43d84fd7d247f188468ef2e2bab9e87bf5d69
SHA512 4aa868df2ad5cbc870abcd2480106d88c81b482759b35545d37de0f3db784e3e6543bfda634adf8489d0b1edb09386397a2e4d159da6e24c41af8ead5f12bbd3

memory/2184-662-0x0000000000400000-0x000000000040B000-memory.dmp