Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-ent9ts1hre
Target bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38
SHA256 bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38

Threat Level: Likely malicious

The file bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3445) files with added filename extension

Renames multiple (4851) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:05

Reported

2024-10-16 04:08

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe"

Signatures

Renames multiple (3445) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe

"C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe"

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 27ecaa1470f0c360be6863b87db3adf5
SHA1 eed3a396dcb0a47a7c333f30ec01a55c9f1f3498
SHA256 5d6a9ce1bc468abe3b6454978914bf48bb479c08955bfed2a166b595bda9bf66
SHA512 88a01dcd00134a98724d6a619e63ab1d7fca89ffbd7546c2f28524f4eca810f450a85b12f1715bf33330a9c629a854dc3e5cb21990d35a812ea6828f96ef81bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 eefc3af04ed43890e523d9f6fb845456
SHA1 7407ade86c282df60545bba084fab93d148c0ac8
SHA256 8a0857dfa55966e8657736c10e646e7811dd1fd79550ed6fe7779e6a273d78d6
SHA512 07dfefd30286bb647ed1be0a9059e4a745ccb533f3ea5c8861e634983f1d9d8be081d4c920afbbec662cae14712e239e567abba354dfed1bfadf45e337826b7a

memory/3068-72-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:05

Reported

2024-10-16 04:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe"

Signatures

Renames multiple (4851) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe

"C:\Users\Admin\AppData\Local\Temp\bae998494715310d62a5c9b61368df45cf9fa3dc3cfff5b58c3e37af16133c38.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4876-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 074c60ca3c1c27dc029d9a1184f25ee3
SHA1 2b8b12cc29ff99042638c2d93707120a77b948a8
SHA256 d99ce82147b89f3d78f528924807fe793bb94a78523285862e123ff796c03bf2
SHA512 bb70d9ed188aa208b3d3a7add53dd4d516c0b049c211edca627ea5c78610bd79a27f23ea18c461ab085454cdb4ca0ad326369098d060f725817d1cac22f74ac7

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 2d7042168f45daf4341895b72a482f81
SHA1 896bb7851723064a19e7986309cd391bfd90383d
SHA256 d47578855b93589ae9e7fadcb796417619a119886bfa14dbb7f37931b99c222d
SHA512 f32b6b62768a303dd983e90b09695b46582125e23d17f1b43b6b8a2b26557519318aeaaa75e4a0d69bd5fa5ed042aa57f655859a5a184aa4608c9d9661aba72d

memory/4876-660-0x0000000000400000-0x000000000040B000-memory.dmp