Malware Analysis Report

2025-01-22 19:58

Sample ID 241016-x5tzhaxgkc
Target 2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a
SHA256 2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a

Threat Level: Likely malicious

The file 2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5028) files with added filename extension

Renames multiple (3492) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:26

Reported

2024-10-16 19:29

Platform

win7-20240708-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe"

Signatures

Renames multiple (3492) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Journal\Templates\Graph.jtp.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\CloseJoin.pptx.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe

"C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe"

Network

N/A

Files

memory/2224-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 ddc68ca1c463a57d76a3f77cd89c96dc
SHA1 110086b45c5286fcb75b541f4abfb765fe78ae4d
SHA256 23a259868805d2aa649b09331162a922f510e1776981abab2ee5be0949ef3da2
SHA512 ddbdcda2cc6ab2f9463076399b3d2f1bda69af2744804ff5ff37fe041c48ea7dadb209175cba8e69d4d75de0541972dbf41bb82b3e38b84a9cba421754bfdfbb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5b034af93ff183d330d13afc0395d04c
SHA1 75d1a9d3a7bd7d4ec9789fde61ad2c8c966aa441
SHA256 b8ff56e05468523d872f213d2f8d0b8df0ae6d2938409d90df14888d1cf9d665
SHA512 b7c411305b6c2ce57d4ddb638f1ab2e5064500e931f27c077086d75d2f22bc4a46b8e95fd967b0e71e8622e5148954f1a7907d7ebafb70f10e30c39193a4858b

memory/2224-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:26

Reported

2024-10-16 19:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe"

Signatures

Renames multiple (5028) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\ConnectUndo.rar.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe

"C:\Users\Admin\AppData\Local\Temp\2250d2cc4ab4447d0e900491a6b59a26b54f42e3cce1a903c03af1b6f851e39a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1056-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 d69b3911caaee99ea61b7f7eccf4c86f
SHA1 540caad4bed017d128c51d6491b00b7475632cd4
SHA256 c69cddb2f78b97df360b15497f1b0e7ffdcbdd9513ca8bf0293bf3eca328d93e
SHA512 28919a5ea9605269e667c8e9522c3bce39d94213f9da12270c0212c4da847985b1348260e32cf4755b001dafac353bd6eebfb3db1a5233356c96c0da3caa5d5f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 5f1a1a568a2f39f63caf8c89606da8da
SHA1 ec905582630d3bf30e9513666264b9b3a89e6814
SHA256 fdeeab078b7da79f57746f87d0df3c2ae0120357740a600c1568a1474ac7bdd2
SHA512 cbd1ee07ca8038434133375f5db9933a7784cdd7f33d50a5f90d5bba245875340de6915d944013703aa201329f906a0adbaddbb79fe1bdfa01a3456ede16d62e

memory/1056-674-0x0000000000400000-0x000000000040B000-memory.dmp