Malware Analysis Report

2024-12-07 10:21

Sample ID 241113-dnbbaaymel
Target d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568
SHA256 d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568

Threat Level: Likely malicious

The file d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3745) files with added filename extension

Renames multiple (5095) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:08

Reported

2024-11-13 03:11

Platform

win7-20240729-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe"

Signatures

Renames multiple (3745) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre7\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe

"C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe"

Network

N/A

Files

memory/2732-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 da5e0899970df5f42cf69d4a6feb8e1a
SHA1 fb862ece2a232577385fe05aaa8550a4e134a727
SHA256 4ab452b13868f826c818597d7ad9988f72090d5fb91b3189c3abe81d8c105c72
SHA512 cd0216ff521aac5d17f4ba7f7c84c24f25039969c86c306f7082872ad244d5e031dd85bf0db2da6311097b870788028deae5066cd07f4847bfac9eab8b6faf2f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 806661589ebf3465751dd0a6cf364b42
SHA1 b089bf1872362c2d0213ac503d14d32a6f9375ce
SHA256 67026d59e2a40db6a4297e811cb4f0a2cf485f15cca0e7742bc5bf3fed4a5447
SHA512 89357d5593a68fcdde554b12746f74bec8d626e28ac7579fe92474b27ae7ff6d7cea9e35d9eaa185f36ad863fc325cfc02829e95153e4ec3e817a443382a940f

memory/2732-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:08

Reported

2024-11-13 03:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe"

Signatures

Renames multiple (5095) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe

"C:\Users\Admin\AppData\Local\Temp\d5d8d4c7b10fe6799c324dba3607d889330b41737203a6689750b9ae807c9568.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/3164-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 b33106974f840ce52cfa4c2cd3a393f7
SHA1 6166e4bb77c930ad05490e64cbba65b1bed92342
SHA256 95c42892f54c3b5870c8ec92a06ca580e3afc19cee79551c0d746ad17b87334f
SHA512 d95bb192acaf0ec1020560d04d9610d37ba9cd92af137230eb5ca714eff84e3f73df780978bac1da0e697574069e4fdda49e417d36d527da129fda838646ff06

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 7b7b12df3f3f09ae7a6c8d0ef2f5512f
SHA1 cce1a4e082ca28a455d496034fefbf2d5d9364f7
SHA256 a82eec759bcbc150043aafdfe60e5f44c883584d65b27a14ba4a6abc1e8d20fd
SHA512 6e8f9cd532889901b0e7511e05c4e2462ce1fc4223b535ce5f08d9d5b15976800e6fb4f60ad7dd42b3732bf9f4dff65aa02e67d67646c7d0336a10ea3182c722

memory/3164-748-0x0000000000400000-0x000000000040B000-memory.dmp