Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-cgnscszfpb
Target 44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN
SHA256 44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01c
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01c

Threat Level: Likely malicious

The file 44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4859) files with added filename extension

Renames multiple (524) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:03

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:03

Reported

2024-10-18 02:05

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe"

Signatures

Renames multiple (524) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Internet Explorer\ie9props.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe

"C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe"

Network

N/A

Files

memory/1680-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 98e05b6c175d77ed564cb3cb3798a7cb
SHA1 992ba68c75e7615941132d07044dbdb4c3179088
SHA256 69dc74a65788a3950c7b216b191c3226c6f76be0df238ab987ced57d3a44f6d0
SHA512 d667fea62e05ad80da2546c0aa2fca76d7e94c1932c2710a7b5194b71a2f8a315e10a579d33ac2a2a5cf470c3868d410dca0e40193947c0ce33fbf804dddcfea

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0bec7a5fbe814233fcf153b66adc6925
SHA1 d57bf9bcb79be2c67d806ead538f4332a6a9a97f
SHA256 0c2081ac5450a54bdfb0f0f168556cf5bb40e52ae16767796167e1f2c180a108
SHA512 95d0c41cdac03a3ceb8dfe43d4cbe7c883abe382c7b588d18bfe2a811b76777ecac2f8d33c8698c7a3b7e8ab74e61494cf088c98386d6ec5289e8c161f4953ef

memory/1680-18-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:03

Reported

2024-10-18 02:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe"

Signatures

Renames multiple (4859) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe

"C:\Users\Admin\AppData\Local\Temp\44aa979d70c28e001b71f0073cc3a12c90800b8ef1fc94b1a105b484bcf9d01cN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/5020-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 0807762764e7924cd8562e35926a706d
SHA1 1211f010544a8dce9463a47b5809499068aed6b6
SHA256 36a3432303aeb48ef3c3949a32b8839deafdab30aec5bc671ddd2f22a3cb33ce
SHA512 a3fd1c2b02f8f95c6aa8aa9cb2f9a17b13c21c08afcdddecbd4440df0a78972b73555d0dd417502480a7de72919e0c9bc816eaa23cc40add90c3464f84bf6f8c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b3b7f0629f5be14690cba563439bb032
SHA1 465edfd2c268a8fc6bdac9a691b51664b8e5e674
SHA256 247ef961e8e9eeadaee16f67256f7c6d5151b331825149bced564ebf27155667
SHA512 bff9ac57fec28f2d00194e18961acef5ea0944fca0d8acb0d859534a22d21ce14f32a6236213c1fee901c2e29d0b24fa9a0a37ac21a355109c1394ef4d9a3bd8

memory/5020-708-0x0000000000400000-0x000000000040B000-memory.dmp