Malware Analysis Report

2025-08-05 21:57

Sample ID 241006-llz6ma1fjh
Target d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN
SHA256 d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fc
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fc

Threat Level: Likely malicious

The file d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3434) files with added filename extension

Renames multiple (4654) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 09:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 09:37

Reported

2024-10-06 09:40

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe"

Signatures

Renames multiple (3434) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Oral.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_delay_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\DVD Maker\Shared\Parity.fx.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe

"C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe"

Network

N/A

Files

memory/2648-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 e45ced5e0e14d234d975f6a19c5c2632
SHA1 0281b5e5ff479a33d6ddcf88d377dbbe081a9cb3
SHA256 d884323ffffdd38a056fa9366e3fd0ebc3a0eb6079a67620696eb6e10726c978
SHA512 0f415f8f9360795450cf6fc16e14d2e377eb39f7c63dc84f92f2271e40db948be908842dbe620cde9d6488fd3ecc97db2a0ff6e628a4b5020933cb845c292b74

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0f464c4906523d58641b61fb2fb41550
SHA1 1c2731fd799b210ffc60d7cd07a64d18a13f7eb1
SHA256 afac0ed57f675dd1d2d683cef7a43dcabf51ee0acea1fc9e01266d6c5df3b52f
SHA512 73985d5d61c11adcf0211189e6c31c060dd60623db56616d0a8953a7b6994fa07dc3eda56fdcc36ecb14f278cefe717209433b7fb5c1718dd6ed73fd78982dbe

memory/2648-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 09:37

Reported

2024-10-06 09:40

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe"

Signatures

Renames multiple (4654) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\ApproveConnect.lock.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe

"C:\Users\Admin\AppData\Local\Temp\d965f9ea60f6cd22c601eb3705bb89896f327b93228950607e0cdcf2fd9ec9fcN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2000-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

MD5 1791ad20e5b5ea93ed247a0931eebe04
SHA1 3973ee1a9553a584ca21e9a5d6c85cb33f4d2a7a
SHA256 e04832ed5b8582cdb1fee34650ae81dacbefddb5a0532726c423ca5c686ae745
SHA512 b5f07d7f73a52d5461a7b7269659c1ee5d78af2bbe5e1ef8904714de5cf244c526be47964425701706e6823889cb9f6a957b60a61e85b0cff1dd06411213f59b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 5c4215f2ba08b1aa3694ac9654b3e040
SHA1 cc8bbcd06c7fa2c77da75c296895fc7acf4a0dda
SHA256 6139f3f1e9efa238c8a88160ada8d2d69539b5cf568c7047adb178e35544f48a
SHA512 a45e6e2feade9687bd168f0b3c176c516ae32beaa78999ca94d482a1e6eb2dc1143acb586a4aa5234494b42bdd959136333cc5fb1569c46a2d0559445278fe59

memory/2000-866-0x0000000000400000-0x000000000040B000-memory.dmp