Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-cfehasvbne
Target b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032
SHA256 b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032

Threat Level: Likely malicious

The file b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5010) files with added filename extension

Renames multiple (3695) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:00

Reported

2024-11-13 02:03

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Signatures

Renames multiple (3695) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Mozilla Firefox\omni.ja.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montreal.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Network

N/A

Files

memory/2664-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 a57434a677db3e89ac7e761ebb4d3f58
SHA1 50429071a13a7289bdd7be8e5d410899ee309d9a
SHA256 4bc3bb7918bec324143a9ee643fc132a53a00b24220e19be304106cfe477d2cc
SHA512 4f2eba8ca63187d3fba75137c33a5e902e1665d4531a9fb8a8a525a91fa53c6f604df17abb107993c4937a4c8749ab88762816517621a3f5e8838a73bb25a327

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2e18e06077d564562d660a8303f3033a
SHA1 df9d987a12009a56eb9d7ce44abc5eda757a45e7
SHA256 0f89229240c29adb7b00bd7d299846d05647f6c053174aad1056da0c7735e369
SHA512 69bd99703a86a45189e5ac9ec51b0d36a4d890541bb0396c56abc6f6d97e0a24108ee955da04d01f6310051d4e93fc485c7fcf9bb249aacd86f805a1e2c4c700

memory/2664-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:00

Reported

2024-11-13 02:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Signatures

Renames multiple (5010) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\ConfirmEnable.ico.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4676-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 a911e9c4abfe88be1abcadc7e71971e7
SHA1 a984e7b6b695918ae3c629b84079ab44a8ea3399
SHA256 12351a64f1507f773f79a0eac7605721a230d5145f56702c526f1a82fc9cf698
SHA512 3bf80134829da5e0ee1a3184ee181c1cf2dc7a671017ef0897e97de481916bd4e58c0972f92c49f2e268ec6fd67c20f862cc3592b7d4dbbdc2170ca967288073

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 d3c1d49e2a8c67d557d4825eaa992230
SHA1 6926b74919f320e73b47add28bc4ad77c725117a
SHA256 2fff7de2c72a114c6c4e828cfd5fb4f6eac22634ac05fdd63e974631eee35f3c
SHA512 6c9b437f178e7b69f2566884e2bef296721394c509758f520f253b45ea0e066424e4ce7c1d53619bfca1ec5cd4a267ff3fa4f3ad0b14f5e5f856055b7b621ad2

memory/4676-664-0x0000000000400000-0x000000000040B000-memory.dmp