Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-cxy82avbjk
Target 4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N
SHA256 4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38

Threat Level: Likely malicious

The file 4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4659) files with added filename extension

Renames multiple (3461) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:28

Reported

2024-10-18 02:30

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe"

Signatures

Renames multiple (3461) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Windows Defender\MsMpRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Hobart.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\bin\installer.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe

"C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe"

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 9dd06abbce9ec76161f428fffa4ac629
SHA1 0f3cc4b16d2c9c816ac941330fafe4b1936b5288
SHA256 da793a66a74d7faaf75c235c1bf757562a63ca06bca8ec60d086c90c0fc544c9
SHA512 dddd6c6b9f6cebdb4cdd831b98b9ae93a562249df19ba09262d5642ea3fd2ba7f461d827570eb87b0d79bdce0cdf1b7d1223ad3f552e80a2cce680d608364459

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e117610f2a08a605e0d9c0b0c312ddda
SHA1 1086ab571e4073274fa0cce40f751dd05679d0b7
SHA256 e5fdc8a187f484ffdd638cb2ce5655540efee48eb67388f30cf667f9b1fd2ee0
SHA512 b6261360dde4933068dca2a80b052a7930ed47a7f050bd4b6f4b3832fa597a665fe3dc8df3a1cddfcc1c8c36d96c64bc8006c524925c0b1c68c467ff3d3daf6e

memory/2424-72-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:28

Reported

2024-10-18 02:30

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe"

Signatures

Renames multiple (4659) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe

"C:\Users\Admin\AppData\Local\Temp\4b95ebda59092a42e95e50a540ea5fefcfc6b25230ac51c04e19782527531f38N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2700-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 d75702bd7ae6628a4e195c91a8eed85b
SHA1 b21d875b8c837020804e96e7572fd137689779c8
SHA256 edac1eada35e49aa6e440f582cc91f21e0f02e6eaa5353e2af27f3043181ac50
SHA512 53f936b99dcb95950de441f81672d87e41dfa05b39109af8dd7ef2e8de4f1cff1f3b58672bfe38498b2187991c3db2c89bef360f3d3beaba8f3b2cc6f41371c7

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a51bc84a12706323de7f9f5879e95e68
SHA1 17891e4e4ebbb327283f8c6c6c082bb2591c98b7
SHA256 2a87156c0714ced32d1c2be46d63d290e48958e290ab48f85204181f11754fca
SHA512 48876ac6db2d98f3a0ddb6d667e45e01a45ec9968a97bbafe478ce32c04ab537a81cdd72a5ecbfbb7c2ab20429ca2404b740c9923e18329fc3d1f453e3783a9c

memory/2700-790-0x0000000000400000-0x000000000040A000-memory.dmp