Malware Analysis Report

2024-12-07 10:21

Sample ID 241113-ch22daxqcl
Target b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032
SHA256 b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032

Threat Level: Likely malicious

The file b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4950) files with added filename extension

Renames multiple (3658) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:05

Reported

2024-11-13 02:07

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Signatures

Renames multiple (3658) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Journal\jnwppr.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Defender\MpSvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Network

N/A

Files

memory/1680-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 9789ff3b386d4f5d2e9bee1c31bd2767
SHA1 17b38201205036bbdc50cccb74844ff83f21bf5f
SHA256 5cae4d06702a5fd5726d0f2099722127eb683f19b402f7415375520df6d4e7e2
SHA512 9c70323e63f99af5d0c1cf2eb4bb90b8fda68f6e3edc53505c15dbdd782503e0b0b058b67f22ab417f65d1d101eb5f6ba0ac3c15578a79d1b0e73480d0b0553d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 92f7a5cfb334a727ed4c6835fecdf4f1
SHA1 f20629529260612f9ce1429889adcaf0c57f3587
SHA256 efeb9efb3104aaeec9f2a2bf0c10af37175e57d770ad8a16f6950f1dfd8b6ae3
SHA512 eb6257bde11d67b6572b4b5dc0772ae142aef5e3967ffba5aa83d9f73eeced895341ce9a54dc7210d2d1c33fd2a836acb9074e1cef7ac36bd8aa5f951ed5aae9

memory/1680-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:05

Reported

2024-11-13 02:07

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Signatures

Renames multiple (4950) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe

"C:\Users\Admin\AppData\Local\Temp\b64b89f144169e3bb6394c4d10c7d922557cfeea7c5b6634a7ca8c341649e032.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/984-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 ec325617b2dea424532bf2f744507d61
SHA1 2d65aae7cadc83702ad1c1ee54e0491657e6594c
SHA256 736ad9051376bff5787ea34e0afcd3ba31119a1b329aa2c09cd0a91b5d408030
SHA512 4ad6b9a1044dee0b038dfc74fa19c7e8b7b797c267db6a993b4d652937ed6055975e9fb1afd69dc095073159a3cff94e5f56eb1ff6f139f6ed7217e53619fa5e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 59aadfa3c6ab7230cf54ff99fc0487f2
SHA1 10ffe0dccffbecbf421e2d7e862c6677d1a6f7b7
SHA256 3b9621c3752556cd58e2073075e984205aef05158be0e8210aea39afdd0df795
SHA512 4527197d5f91e7ac624dcedafa19812c95d4cec6723452ce6a5d58227ca2309cc255d12de5848fdaf0dbcecb5fa74f7ce12b122273a166f83fe3be76cc5e5b29

memory/984-696-0x0000000000400000-0x000000000040B000-memory.dmp