Malware Analysis Report

2024-12-07 09:58

Sample ID 241114-gf845avgnn
Target 949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe
SHA256 949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316

Threat Level: Likely malicious

The file 949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4533) files with added filename extension

Renames multiple (3146) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:45

Reported

2024-11-14 05:48

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe"

Signatures

Renames multiple (3146) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tijuana.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe

"C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe"

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 832006ff9399e103bf7408599d2c0e20
SHA1 15b86dc4c2df73ee7462cb06e28656d7597530ff
SHA256 25d51ab19d57d2f03820b522e1ca99518ef89b33243ba422bad614d799778dae
SHA512 622a6a5d95a680310433ab669869d991397dc7fdabd354d07500416851fb4dc4f77f1c0426f255c3a04dd3122de52bcfecee11998ba515c6bef2f803f2a07501

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e8361750013815b3285966381b77a0a8
SHA1 ca764b84a7c7e1bb65e5f12339e9214471017128
SHA256 d066ed23bfff6c02d64e7131c15632850ecbfaf6b9cd15c79ca9c04ffe8f21da
SHA512 19b33438087b644b0159ad67522bc4483c7ad54937ea017a53f4e7a2a0ee4981933cbdb5a8e52e2ad8259fcc6d112f2577b920c6851eee50a0b86999c6f29dd7

memory/2088-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:45

Reported

2024-11-14 05:48

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe"

Signatures

Renames multiple (4533) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe

"C:\Users\Admin\AppData\Local\Temp\949d76f3913794f6651f2fe269edcc03a7c20853179cc841947241c9a3c7e316.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2292-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 fb2c1273d01002c15b8f8e38d92f5b7f
SHA1 c89a7da6c1e1afdafcf80ca1c59f5976346b3e0c
SHA256 0b5d2430c2681540a1ae476251c69f2c3a9903362935c7aca03614938e0b0c05
SHA512 356e4de846b1885ef42383a56128825bbbc5a786ae39de89f996b0a3d23e436e5452bece1d051b44be46cdf879005e14a13b4d21d676819549ceceef32901fb0

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 0e4e8dc67d1dd5ff690b306839ada3c8
SHA1 ceae363e64392628a436238df820ab32788877c7
SHA256 5e9ba532ca5b18b533d474324e79e332e0a15c75f44b73d2f9123544bfa4b891
SHA512 a7baeae8199ad81e3ee2de951abed31d04318b6eccba61c0ed730c4c8ce87b8ae6aa8b924c9a52b990d16939293fef371d2a7f831c84228360e399de13f08eee

memory/2292-661-0x0000000000400000-0x000000000040A000-memory.dmp