Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zsh3kswcrk
Target 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N
SHA256 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66

Threat Level: Likely malicious

The file 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4614) files with added filename extension

Renames multiple (3150) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:58

Reported

2024-10-16 21:00

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Signatures

Renames multiple (3150) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Network

N/A

Files

memory/2360-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 793b83bca0831f2fa2fcea9912bd91b1
SHA1 9e186738e46ee8261906b8548aa9b1ea8fa0c393
SHA256 7610d65dc5c9d598282a60a453b5f67d89b2ae4730f9ba90150ff6f05be76e6b
SHA512 1fb30fb803f01824490bfb747b453e22ddd87156fed8d75fe61a8d695b9e5a234877e436fd65fddff2864c73547f2a8d7e7e1bd292958fdf3a31cb66f72b3031

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 b1f6080d49648f74eac2b3d6421f8b02
SHA1 892f203d3f8fa8892bb0e85da3043beef7023a17
SHA256 745e2eaf32f55364106c5433c691ed4bbe08b2a105353f529303d909d88267ac
SHA512 1f46ce38844325bc8d59c28cbea579de1b3d1375fe5e1b8d5c8bc64bd7b1ed1b2235cbf6cae4dac10b1f818e2bd421014702b4443815beff67b1a554592f6a7e

memory/2360-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:58

Reported

2024-10-16 21:00

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Signatures

Renames multiple (4614) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4928-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 44fb0571cb16eea41891d1bfb4fa0407
SHA1 b7712f38720cc67155eace1b5199cd6568b22103
SHA256 445d3f78a3fc099e58b2809a34ab9e302f51289e98800aef5993675422f21b4f
SHA512 44f9cb37466a0b5b1a03f7d74ef56448d17aaf1b28d645129ea536f4e3bff7cd072c18a9354af29d0f2e225a8bdc5353de6bdae80c49233b3e44d82516a22ac0

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 619be9ba3a1ddf40b012297304b6e62f
SHA1 67827d470ff2d9b810ddaa1ff45fd54cc21a4351
SHA256 932d812d0b385c4cdb82fae070460424e574c8e2979022386e9724cd73c69259
SHA512 5185579edf78b70eb476c01625b6312240b36a7d46bf9055b451109aba92370f4c92029a93d9c6f5c1a91c03fc1c0aae58da4c1ecbf2c9e15c161bc4bc8e4a0d

memory/4928-740-0x0000000000400000-0x000000000040B000-memory.dmp