Malware Analysis Report

2024-11-13 18:00

Sample ID 241110-brpxqsweqj
Target a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062
SHA256 a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062

Threat Level: Likely malicious

The file a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3629) files with added filename extension

Renames multiple (4871) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:22

Reported

2024-11-10 01:25

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe"

Signatures

Renames multiple (3629) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre7\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\CopyOpen.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Journal\it-IT\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe

"C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe"

Network

N/A

Files

memory/2640-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 56c7d615b44fce6ca7e0cb0f4ac8e905
SHA1 235b8899a977e5675ddbdc82797ea8bff0ddf8cc
SHA256 f6c75b15b992f1f9824e10578ef7d10ffdaa3eb7d4504468eca941f9d048f5a4
SHA512 f4a931f86b32df279f6a4c3b300a5b700dcb680be179b1892064b65ddeb1387057bd10dd8bb0589f8801d15a0106d306048215e97249cdbe47e9e44c3bddd371

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 23b9ec3abadd9662e73a9a041ad6dbed
SHA1 1ba5f048fc1e8ad9c34c950f809d16c8118acf38
SHA256 c223f2ea70425a76ef22bc3d558005892b7e30c1bf4ca60e0592994a1eb6b972
SHA512 4058f0c85589faa6b1c74499106e11cf8a47e880d63254275356b04e8133484a351ac9bb656b663e1d212372ddd76b83c2354cf3055ef1fbafffb610a4b9acb4

memory/2640-72-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:22

Reported

2024-11-10 01:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe"

Signatures

Renames multiple (4871) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe

"C:\Users\Admin\AppData\Local\Temp\a69bf2de681ec97c1f9af78fb337b786bf0a8b792c89f05bd9f40ac335f66062.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 fba55f6472ea5021d193f0af5d0b48cb
SHA1 5e01ae2a4c1399ff3dc19b32f580719d8aed1182
SHA256 9fb40aa3b64673c760ab7b8cf57b40139980fdd9c93b4e0467490f8f1a9d6a0c
SHA512 53e9e264d8237f814e84d012955e1219282834a1ec40de1ce6a209381d7519e6d4fbd43a70f56e4207ff7aaef75a57cce566b6905c7c492ec768763323580806

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 34f40f8f4c30d5c4f72c607114f6d2f4
SHA1 8c407c3abb998292139895f07aeb3fd848352c44
SHA256 e2d0d1e14e816e4a4c83b99749041929ad603c812d3a33f3c78399b46e4a2e0f
SHA512 6d11dac884ba44645b7cc6108801ba2545a58d3dfdd4f7713b37377b6f4713564f902124559ddded7eeb0691b61b04df7ce675ce3c29ec4c523f566bf2a076a5

memory/1852-660-0x0000000000400000-0x000000000040B000-memory.dmp