Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-wy5a8avcml
Target 9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN
SHA256 9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2e
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2e

Threat Level: Likely malicious

The file 9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3544) files with added filename extension

Renames multiple (4923) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:20

Reported

2024-10-20 18:23

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe"

Signatures

Renames multiple (3544) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Mozilla Firefox\postSigningData.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\wmpnssci.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Mozilla Firefox\softokn3.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\release.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe

"C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe"

Network

N/A

Files

memory/2684-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 25057a52ba3cc9ae954bdbfc18e195d1
SHA1 eb69864679fb1ee78cdcfa63cf0cfb49516cf01c
SHA256 0a62a8baac318777f2bdc6738ab7bc5a6a0718cac2c190d515756e17f4988110
SHA512 78c234bee9df8d47c11f5467d556ddafe832d30574cbf5fdb824283fdb3c0a92554e3d8b6dbc853df651caa349a7a1b0eb39a9261269b76c98f8ac32d38a37a5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f0cf58ed72cc6988b7afcc1fda83ec60
SHA1 0dae965dc79d9e896f4bb748507d648aff1c7ae5
SHA256 29f11eb9cc68b038e1a1e79270073fb678c63f80c10f106886e15b0641da78c6
SHA512 76d06b1f2657a8c76423f5d52d02852b393fa395d3415ca738f0e200acac07814a46defa2fcd3d2e0491799e2f79034dae7d8daffeccca4d113d5931b42ee635

memory/2684-74-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:20

Reported

2024-10-20 18:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe"

Signatures

Renames multiple (4923) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe

"C:\Users\Admin\AppData\Local\Temp\9b2b0c040d61bea62ee200e024dbd979dc28f684d3c7ffcdb9ccf7dfad9c8b2eN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4116-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 05f5dea2df73a19d24673cfe4a5d73c0
SHA1 38e445ed0f3b0940d7537665279533258fff8398
SHA256 0c50564f3d5125dc7e4a95d727959f0cf83ce1e48765411c194c2394433490f7
SHA512 454a32e51891a9f6fe10381bf6c12b17b41f4dfb53e92afe984035d92b5ab3cc5acd6407b5a6d5e297318d8beedda60de69d6d62be0a1249acb827c5e24c2b74

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 08d1d15ecefdb66602a292cafc901144
SHA1 6b2e8ed9b04d773105a21caa789a141baea6554d
SHA256 65d5be87ac3358c7b954cca9f7f4c52bbd4837497283d9150b709b54f98a5853
SHA512 82410bcd8114b76d37b40679b030c2ce837b42801097016a0f1374664b3d8fb777550543d98a88a30684b055bf46d8c3b926e8af262692e7a97bd2e79d15856a

memory/4116-664-0x0000000000400000-0x0000000000408000-memory.dmp