Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-x4sp2szenp
Target 1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69
SHA256 1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69

Threat Level: Likely malicious

The file 1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3756) files with added filename extension

Renames multiple (5031) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:24

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:24

Reported

2024-10-05 19:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe"

Signatures

Renames multiple (3756) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre7\lib\security\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe

"C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe"

Network

N/A

Files

memory/1484-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 eb6f353ca8e1f2b16c0f414598c744aa
SHA1 bc124104e92a95fcfb60c13ed2e1fcd307dd2a9a
SHA256 91b906602b187764735f8fc85b918606c0d2af71e82535553ca00e70e26f5500
SHA512 41a0a2185f0d7af75328cf2e08ada23b84a966b4d00280046c4d7f513b999826107cbbf5aae0535fed03c132eb67934118f88733aab5858c63fb727b58837f92

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 25c82b65e51b4b74a7dbdfd4f3bc557e
SHA1 147dd5775c911f23b5878cb3d3bae0b5d15eb9d4
SHA256 171fb1f52ea62575d0121fe623efe379577590da38577d0c497b61ea1beed509
SHA512 a91c3a24071c040f13659b2b72cb5122df59859eb653df295b49d5370e865a5220aa38fa408b82431bf2422005fbbfe400b1b338e75c1547c265dc4da89ea8b1

memory/1484-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:24

Reported

2024-10-05 19:27

Platform

win10v2004-20240910-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe"

Signatures

Renames multiple (5031) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe

"C:\Users\Admin\AppData\Local\Temp\1d691141705a3d5591c099e7d4b0709bdc4b1f46f85a1fbe328858b53f967f69.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4288-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

MD5 9d479031f6e8c44d2043c28b578cdef5
SHA1 2d19871f45302922fe520bc6df1c062e8929ce0b
SHA256 1214ce72e7264511cf7222475edec8ab8bbafeb2b475360906b39b0f6f868303
SHA512 44979b5f7d11370dc79d1a11a37e606b891ac2cf264d50959dc538d54dfd44bd5e21b109592c8d62df3f382979bd2fd211d1e5b00a88a4121f9e39468b382362

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 d4c015329f38f6a1cf080aec7625fe39
SHA1 be4da026f24cbe1ecaa6d6cbae3175d1c3d0d411
SHA256 61952332b909c9e81ad7b07012b81b3c663d6d64c0416873c7abeca193ffa2cc
SHA512 a9eaa5186cb0e433105b986f63766cf67541ed9fbd99cfccbc4cad0be589a1fb2a3d09ea4b3a54d89d5727aa1d30909dcefc538e48eefe6f951298c73d2ee834

memory/4288-670-0x0000000000400000-0x000000000040B000-memory.dmp