Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-enbgqa1hqb
Target ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe
SHA256 ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe

Threat Level: Likely malicious

The file ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3760) files with added filename extension

Renames multiple (5197) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:04

Reported

2024-10-16 04:07

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe"

Signatures

Renames multiple (3760) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\ResetInvoke.wmf.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe

"C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe"

Network

N/A

Files

memory/2536-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 fa7c13aef2eac56afbdde3ec6944a70c
SHA1 dc212610fbee50628d3586e48dcb101bcbf00e29
SHA256 f5b108b95cdc169166ddc08154e9c9f6acfe0b9c5fba557a8ba7aaddcfba1c1e
SHA512 b3f9475b6283212cceb2612a89ab6127c6a64bfc60bb9beed8d6f7eab2887f491f18d540cc3db78823ebdb74b7e87ca17d73ce80767d33b798bcd3c672ffa5ee

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 1dc6c54c2b65619d1878617d0c1ace96
SHA1 ac0bf2621861d60c3c74bc298923d5e2862fc0db
SHA256 58cad1e774088f23e89d6d5414b09c4a6d7a754b97fc9494e2b8c4da60ad99a0
SHA512 abb5a023cc3d5816ba816eecc0c7f4876449dee83987968c2769a2fecaef0405259ec7de9fcf23c2e1fd3c199e77d06a942476fe8e02872f5f44b38222fdd1e1

memory/2536-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:04

Reported

2024-10-16 04:07

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe"

Signatures

Renames multiple (5197) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe

"C:\Users\Admin\AppData\Local\Temp\ba9d952936e9de1ce4c4d9c9dd4a031bbb90b530e1ab6749d4cbaa2c8b46aabe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1536-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 d70735a3bd851f4bb719376292a3e28e
SHA1 898876c043589fd7428a4c4da629858e1c35683e
SHA256 4d6e0168e0b9ef74c86c78a6f68b3f8cb19554eb49573ce0bfc6efac7edc5520
SHA512 7a401b65295dfaa77bc1b1d8b3e70a55a56b465b87a33494bb16f04e360e9756e470917553d97b808bd91c2f0e562ad5229d7e3e4d6b7e172635cb7a67e2066f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4e33e83affc35114b0d90eb16af610c5
SHA1 1a94386ce5cf724d8e09ce8128429eff15dfe2e5
SHA256 e65ac7b3ecbec517b7aed23a2aa52428e6e9a325d9c2198c13ca0130e673326c
SHA512 b2c9e1febe7c72ec8ec52f1764a2b3a9aeeed7e762cc8ed3ce1bd8bd84d89576712ae182167a7ac5e2e02af2302d238fdc22503ac70e5de9e7fb78aec2d182ad

memory/1536-784-0x0000000000400000-0x000000000040B000-memory.dmp