Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-cb1jzaxpel
Target 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe
SHA256 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351

Threat Level: Likely malicious

The file 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4653) files with added filename extension

Renames multiple (3337) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 01:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 01:54

Reported

2024-11-13 01:57

Platform

win7-20240903-en

Max time kernel

120s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Signatures

Renames multiple (3337) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Network

N/A

Files

memory/1908-3-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 0dd03ddbf7c44ae038298214e6ee37b3
SHA1 9e6bbefa9b9386f759374e26dd0674e12bcea97c
SHA256 e7ad1e2f3fa96caab5fba6330b72da97da2179ff56230ce89a1e2af299966148
SHA512 4fa6cacfdeb0e7cce624f71d18cf982d5b2ecd6171672a016341d2253f1b94c39513fc02870cfa76229aa76d6bcb48ec9929d13eba5341bd489d1e5c854c01d1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 396e58e0eac1b9bd758bc31b9c3841fb
SHA1 64a144e667953fc1f7ae446059bc33c044358f69
SHA256 95c47920f60ae7fa98f1a8d7b6dac63248948745b344a5471a20c9de7e116577
SHA512 e3dc1165c0ea60791623ceca042e54491b8993c90c7716feb9a0a3b4ff55fbe5fc2059b76b78041d30a09f492a884fd6cca7baf52fb44813a2d3e73595a0c381

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 01:54

Reported

2024-11-13 01:56

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Signatures

Renames multiple (4653) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\AssertSearch.WTV.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4688-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 d1525eed50dca191a3667b484823df28
SHA1 1078cac61b6d89e5da4025f50430f1833b3a11f0
SHA256 5bff3ba3d3e8be8817294376944004e51cb5ecfd92d9d4e5dfddded4e6f6235d
SHA512 d5745bc1a442f06296ebd19cc90667655c48a4221cc419d782289908cb7514d3fbc7977a0f084e87cb7d1145a6a28ce67253d68ffa052de55a77d1656005f3a7

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2e4c80f030360b3061ce017b2a038578
SHA1 98da6ce034a0f0b3ea706f556f633f9e514d3b12
SHA256 0404825a1d4900135f79e5e70ef0798b7c16ea20c0433c1a2ae457efaf8abb19
SHA512 73bcefee7f350e4d22fb47995416344d1c6152d5380dc53a779d483d4debc7b49365e27930210a84766327f903987383e83f814c754be729d4c6b84a1aead06b

memory/4688-785-0x0000000000400000-0x000000000040A000-memory.dmp