Malware Analysis Report

2024-12-07 10:16

Sample ID 241112-tqa2aswfnd
Target 560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5
SHA256 560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5

Threat Level: Likely malicious

The file 560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4729) files with added filename extension

Renames multiple (3436) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:15

Reported

2024-11-12 16:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe"

Signatures

Renames multiple (3436) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Defender\MsMpRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Currie.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe

"C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe"

Network

N/A

Files

memory/2448-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 cac58a926cceba8c8b958ced1ce3c833
SHA1 3e6b3c2de0c0abad67c65b43b380cbd93ace2657
SHA256 442cffb5224008265e239fe9d7e2db1ec954aad821566272a4766091e46f2ead
SHA512 5ae696cd473a96e6854d11af2056ccc052941d6abff50b1e533b2968aed385248a566ba317d201901482a50de811a8f6779533e1e8a8d0927cf299c237345467

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 b9b7fc6f5896697d551c053c19fc1c09
SHA1 c349e9954810caede56e59cdbb052f9b4a2f42b1
SHA256 b78569954c6b891e9f6d770e37e94e2c4a748c0e97225073004cdacae08621b2
SHA512 8deabd114d52021b545e448ab3ed679ea112b64a985237fdc8edc5f197d3de6901ef4e5b047afb8a3d7bbdc4d4dc364e07e5d1059acfde08d57f0d3f46ff3fb3

memory/2448-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:15

Reported

2024-11-12 16:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe"

Signatures

Renames multiple (4729) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe

"C:\Users\Admin\AppData\Local\Temp\560d624a4d799f4434ed0603304a3a5cff790d74a337f3a688258493812582c5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/392-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 11314dcf53e7dcabfb9a7732f8e95ebc
SHA1 fda2bdcdfd0a635b2230ed551ca583698c6dd40a
SHA256 5704125154680aecef3523814e173f228d81ccfba763558f0b47ab8e873f209a
SHA512 e0c27e77ddacb7099628f6bef296d7e8ebc0540c9d58f7705d679feb22ccff9ab7af3cf7ba7056fb08b2316f6859cc2f160006ddb1fd7ef4911713ec58275597

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 02d3de17b272a1330060473b1d5cb60a
SHA1 4909ddb133779fe7daa303072fd4b43f32dd2964
SHA256 033a8d965c0a64608446539fc32cf4fdbefb3075760db7b7620cac556b0393e5
SHA512 7fc5de658ca52e31120ae305674f755e79b2ad17bcc73b119d8725a8b875575c201c5e4883bcd0ee397b15a77471735ae322ddb16cbcd64b6930c5c9c83d2c37

memory/392-632-0x0000000000400000-0x000000000040B000-memory.dmp