Malware Analysis Report

2025-08-05 15:17

Sample ID 240825-hwnc2ashqq
Target f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6
SHA256 f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6

Threat Level: Likely malicious

The file f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5187) files with added filename extension

Renames multiple (1086) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 07:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 07:05

Reported

2024-08-25 07:08

Platform

win7-20240704-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe"

Signatures

Renames multiple (1086) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe

"C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe"

Network

N/A

Files

memory/2388-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

MD5 c4e8be5e5771fab79836402691fd87e4
SHA1 480aac28a7c31e2ce3855263a771b87ca1e23076
SHA256 d469cd9c668acc4dd6ab6ae1378164a23a31fb4fd7400abe585af88d4437ff5f
SHA512 f51bf1f297afef20ace4ef1676dcbb8b889b1622fda3b85c2378e94e6eb4436af4c96dc75dc4a45267c100ecb449fdce064de4ca6e150965a2f91baf9b23d95f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 46bf89548075a3158c537970566c0211
SHA1 1c5f8f74c2fad522eff613c10c54873584b9d2ae
SHA256 2ea2c861ac0ce055cbc54bd3bfcc78771988ae791b368d46c80fe7d5abba03da
SHA512 dd28d2e249af70851f1fe7e00f01e69acbeefc3d7616e0682335aaab0af795c5701baba7da2f2f47a552fd731d401f469fc3a1f8e0795a1c9f799da30658d106

memory/2388-27-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 07:05

Reported

2024-08-25 07:07

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe"

Signatures

Renames multiple (5187) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Java\jdk-1.8\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe

"C:\Users\Admin\AppData\Local\Temp\f1adfeeb7a676b46a7bd1ebc0fbd7091e2f10ad0d1f5e1e9654998d082e213e6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1524-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

MD5 3046983d553851a79890169b218d1a47
SHA1 2d580945bd19c0d2aa6644ffe774fd3a90f31323
SHA256 43ede67f7a3a7aa876e7d648b89c2418591a6bfca950742cc571e4d485bc3458
SHA512 860f02b953d5b3732c2d63c653019682e7f93bc6e46018fbe382850435e9c89d5c0b270613a837736bb8028e2f5269aca6b3d5c0d280b19910d0eb54afebb399

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 cd9d127573be07e3100594c97d92a325
SHA1 4abcda65bd1db061279df71352a76f95e061a71b
SHA256 01a22eb806975dd2075b79cb4d197d0860ab75f82fe8ccc4abcb5fe95ce5694d
SHA512 ec030bef6be44a907177399e9fe669b95752ab7967158228fe623c90ea628ff35dfba77b30b5382a245d6aa9d26f6a8770f6edf2c84dd0c75c9bfa014312eb52

memory/1524-1006-0x0000000000400000-0x000000000040A000-memory.dmp