Malware Analysis Report

2024-12-07 10:01

Sample ID 241114-ma6dyaxfqg
Target 4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe
SHA256 4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e

Threat Level: Likely malicious

The file 4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3089) files with added filename extension

Renames multiple (4207) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 10:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 10:16

Reported

2024-11-14 10:18

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe"

Signatures

Renames multiple (3089) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe

"C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe"

Network

N/A

Files

memory/2792-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 357c772a33f4817a4fe7e55a74860dd5
SHA1 d1ac47f71a61f35c86b162747ed50d9e71750f11
SHA256 af40a29106f557debe6aaeae8c220620aecce392e44907b0296754939edd77bb
SHA512 de90bed75f9ad2cf6c5c0c103372a0dada6405dbe2a99d4516b42e49cfb7c1d1ab0157a22eaed94f6b05df531e012b452279b346bbb87f213d9b7d98e9c17656

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 bf52c9eec05c6b4fab15c33741a0dc4c
SHA1 a62868964aae50ced1c0fd962aafd245373089ff
SHA256 de8432d9f22d2cab283ba26356226c3abc1a5484ea251a34ab3490a59c0a349d
SHA512 2dcc296b368412449958345671d98288075ead60539d10e54efe0dbbf94fd7704c17038519d616388a42257cbb56a956ac2e906e677bb8ac981604f2863ca56e

memory/2792-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 10:16

Reported

2024-11-14 10:18

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe"

Signatures

Renames multiple (4207) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe

"C:\Users\Admin\AppData\Local\Temp\4b2bf32a8de1d9b20fdb9f056689d9dc409edac5c0f5e844f77269fd48fdfe2e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3248-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 6dad3fe591c1105edbf57b8aa0b9c8d2
SHA1 22786d7b32a930461f3f44eff5decdb5ee0e95c0
SHA256 871c96cf8f1456158dbb141062fbbf17eaffeb968d3f71eff2d7c16f11b945c2
SHA512 975fe47192d444a638493db97003c56636e8d4d6a5c8328cfd7c2395576d694a5c31e9dd03c03bcea19eb98defae9d6805ccc90d54c0d06658c76a626ccc2971

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 15a315bd301438f3dedf50682984cb6b
SHA1 14ce20f79a7d5f3db79abb260476d5a0087f06fe
SHA256 c94152b8f45232cbe12f0d983ab3f412785d0a9b3e457e6ed2336e82d9d021ef
SHA512 b423ebabe46ca6a605ca3ae07b8f44e094026bbc69bce553d6280a025e214ab8284e774d66c6feebd21b9e871146796c12de1da4271ddc27d4dc0434e46c60b8

memory/3248-659-0x0000000000400000-0x000000000040A000-memory.dmp