Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-ce5m4axpgq
Target 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe
SHA256 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351

Threat Level: Likely malicious

The file 1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5101) files with added filename extension

Renames multiple (3567) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:00

Reported

2024-11-13 02:02

Platform

win7-20241010-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Signatures

Renames multiple (3567) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\New_York.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Media Player\setup_wm.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Makassar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Network

N/A

Files

memory/1668-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 b418568b6351fbc32e919b97575951ab
SHA1 b85828738dd2343c920c94d8530fcf0784949aa0
SHA256 354d57141b6264a1eaa52745b09349a8be357e67d79c323f3840606e98957c8f
SHA512 9bc90645e1e64a2b93e572a7d89bbb82c8ad46903635c46e1620aee02250eba58dd54b578a319eeaa74a417a9bd1b6966a0c04fdc650d1e783473837ab8bc941

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d3e6501e1748e3627e73b3b93cda67ad
SHA1 bb97c8af9edd4f489166ae6f9c096c3d7e8986eb
SHA256 f7b5c0c6ee255721dfc217bb6779a5135f44eba24e71c00847d877b60dc8dd4b
SHA512 af2c0b856e1eaaa04b9c7ab61d0062dbec9e844a90878546795c9ed94f4d0b52050b0eb64507a66e1a05b53513c80c31c78bc9e26d22218aaa769bf7324ae409

memory/1668-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:00

Reported

2024-11-13 02:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Signatures

Renames multiple (5101) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe

"C:\Users\Admin\AppData\Local\Temp\1e836fb38da73a644e71ec168b3d27f8852682aceda2add195436dafcbb63351N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2280-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 0a53088ef533e5cac27363f1822b6ca0
SHA1 75046d864a3133ed6ca814b50f5e394546c87f92
SHA256 d63e1d6c006efaa1570d2d751e035be3f1177abe2dd44c16cf425808c957ea9d
SHA512 bbf20e19fab0468b2a9099a7b3ee88218e84ce654af2d63bf0a281c0733125a25bc9c69b5986f17562f02f0543c2a951d014a63840d76ccd29332433b87f3e1c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 321b8839a112b8b49dde87d5a72d9326
SHA1 37ee83596ea67412e397a90a2df1bf78cdcdc418
SHA256 404634eb2051b91ffbd6dddcf5527da44ce9feee861de127c23a791ee221296f
SHA512 4ba46dd47495ab74f5b1ea89df63349d325b5b44e7868f76cda25d9c6cece0a543479c7060a3ad0ad17628876d8ba2882b3d7088e70734617c245602ee16d618

memory/2280-719-0x0000000000400000-0x000000000040A000-memory.dmp