Malware Analysis Report

2025-03-15 08:25

Sample ID 241020-z8mqpssfqn
Target 44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1
SHA256 44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1

Threat Level: Likely malicious

The file 44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3694) files with added filename extension

Renames multiple (5122) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:23

Reported

2024-10-20 21:26

Platform

win7-20240903-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe"

Signatures

Renames multiple (3694) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Journal\en-US\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Kiev.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe

"C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe"

Network

N/A

Files

memory/2348-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 ab02923f5bfcdbc94c301e8bf2859811
SHA1 f3d4fc0d32eb421fbe4786f9a283661bdf0c8a82
SHA256 dd3a2ab593d9858ac973f324c9f8ae5948649e05edc476abe06a9e96813f8d4c
SHA512 2d9badf75f23fddad0047f7b82533823f58041bcade38a1233eccd06ab46f9e5b76993715aa97eb8b67d842a1875a3d3e2047c0163844e5a98f02fe281de385c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5f98d58c920ae087b0c2738948915af5
SHA1 6b2eaf8b9f55e680d350359d5f1dcc62f3643a0d
SHA256 1c79829a99041a14d01f0bd6af8e0ccf5f4277292d481835b6bd9dfcfdf78532
SHA512 f4d40ea61f222408059779f7e881c5c6c19db50c371e306c2cdfea76ee94bc54c7e78cc5c8008671cae6e9c9c8d5293baf694b55b6b819d2e38db9339e390dc7

memory/2348-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:23

Reported

2024-10-20 21:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe"

Signatures

Renames multiple (5122) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe

"C:\Users\Admin\AppData\Local\Temp\44e098932807f7100296c727fbe4b0d4e8a4fab5f484437e199d89fbb72128f1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3444-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 c60e090127ca10db3bb53ddcac4a214b
SHA1 1a97a7eff3f829fa03184bb04d7a60c978020a89
SHA256 46d8579c11d10025e3cda6cf937c2e28c3a49e7a267f8850ca94d0017bb8b0c0
SHA512 bd47e8f258b095bc75556e384798632cbe7570aa7e9e6a048f1333be4aaed359832f1e4c806b77d821212336943ecac971769df93b3a3afceab0fe6d7c71ff4c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 820cd0bfbff05afac7689c6396fe35b6
SHA1 931a6e0e73a6a4f40186498d4d4e64738ed26ce2
SHA256 a6b4433bc65d68e77055055eb724c966f79e267fd47f1deaa93607e9aa4292dd
SHA512 309ffc8153ee30646bb7717a479f130c530a5fe587da7f3287a48fc7a376a15096a281f242e75b48343e3bbc68e27099b6b0b67f2a88defefb91044b7d82a2a5

memory/3444-778-0x0000000000400000-0x000000000040A000-memory.dmp