Malware Analysis Report

2025-01-22 20:14

Sample ID 241019-xgb4sasapb
Target 6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N
SHA256 6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613

Threat Level: Likely malicious

The file 6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5038) files with added filename extension

Renames multiple (3740) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 18:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 18:49

Reported

2024-10-19 18:51

Platform

win7-20240903-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe"

Signatures

Renames multiple (3740) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe

"C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe"

Network

N/A

Files

memory/2420-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 596f12890f1a95dfc54be1fa7f4795da
SHA1 875158a234f57b3745b14a5a59d708af2f91c9f1
SHA256 8e95ef3ef56c0afcb040d2b8aab452068ece92ec0b0a5bd36e4fe7ddb36ba14e
SHA512 759413e5c5bf4abe78915d85f68fbb8eda8b59e80a06457cb8052240a2a77e7af35cf5f14bbd0d9af7cce865a68c6d48eda3045879cb64e7b6299d429f8cad7b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 435c02a795adc186e5e0daebe9857b04
SHA1 86682e5cbe8e03b0f5ac7798c4fc20f5da2b521e
SHA256 c14f6c2d616fb66efe6a12918f2fbf9ac5c5d19f9fa900b9a78b0cfc6844877e
SHA512 fed61d506b3c329a1698d28da6e404966a6841b0aa22e1de524b94e0a0b57a8f9a0927e0b53f38ccb0e1c86401d003b691d0e52aad226e22d820f4cbc1a1865f

memory/2420-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 18:49

Reported

2024-10-19 18:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe"

Signatures

Renames multiple (5038) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe

"C:\Users\Admin\AppData\Local\Temp\6479694dc7f9ae5446d87b8cb69805b5082c2666666bdfca41afc2f35c079613N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1192-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 e1223babbd79be81020ff8cc872c46ff
SHA1 ff93eb4fd690b98bbdcd03aa78095a8accc56e2c
SHA256 25944c921cd77d3e0255ea9a98ca0e8643f86006b1e6e08f1202e83d748c4e6e
SHA512 7538115789d5a5d517a8f5ba05c04f18f435009a8d9db0567464eb404d3fb74ac7810e18c2b25944127ea7abdd2beaff6866a535b55a2799d1c1839bdb38cc8a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 298f056d6512eee1383ba5762c963e15
SHA1 8e250d00046add61180515c2821997dcfc538bea
SHA256 e158b4b688e6eba8336d2eab5a635b8e3cf53fab9a75d65e59ab216b977eebbd
SHA512 74b766e7e170181220a1de13594233aceb05bac7b9acda8c0b0c7d1915fb8083f58bb483345847ac96c6b90a2c1b65b2f08700fcfd4611ae894e7c7d2def9255

memory/1192-786-0x0000000000400000-0x000000000040B000-memory.dmp