Malware Analysis Report

2025-08-05 21:56

Sample ID 241006-mhvbmstcmf
Target 6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN
SHA256 6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ff
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ff

Threat Level: Likely malicious

The file 6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4659) files with added filename extension

Renames multiple (3228) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 10:28

Reported

2024-10-06 10:30

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe"

Signatures

Renames multiple (3228) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\GMT.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\PublishExpand.htm.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe

"C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 96c15d724312919e334c510ba5ea3fb4
SHA1 333699546bf2ee7d11bbef192d119a047e9a9b8e
SHA256 f4bf1ee78bf017e8ddccba7d3732357c958c80c4a72983892ca412c1119171b5
SHA512 3116ab9882430f6d56410b7362dcfbac883dd11fa91a14d6b5127c467d55640ff1c7532e402fa149f103215e043bed96ef1cb3175f5efc967ca37ec2673d84f5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 7750d9c4b12ea08e2e97d6d4fca7978e
SHA1 145aff40f0a7bf1f23f089b6c83afe00746150c2
SHA256 e0399d147a118a5b1617ecea15c1901447647efad7746a0ce9f8341944f94929
SHA512 4493c722533f55cde4559dcb8615562850c6f02b37f96f43ea3d2ef3b3b72ed7f23724435d113dcee8ac967aa625a671aa143a0cd3249d037e87691bdf07808a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 10:28

Reported

2024-10-06 10:30

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe"

Signatures

Renames multiple (4659) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe

"C:\Users\Admin\AppData\Local\Temp\6fd411b520ee95049b844e6f7383ca126a763434c0f83b04b13aa507a0f897ffN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

MD5 3c52caf72d14780bd47c1831290a355a
SHA1 2bce63a588ee49d234c4b6a426a98f71fb18246d
SHA256 0335c3e7185f6e5d5ab63126824798abb5fdcd918e233eec94322226ca97058d
SHA512 6085204c0bc338e228bd7a31676936e3852c021653ef757484f423058dd9ea760f75ec1f5eab26e7b76e39165b761b6bb91d0f062ebf2d987e29c98335236a5b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2218675cd7a9240c4ff0313e5800b367
SHA1 4dcef1a7fc8d9b97234364dd8c3d62df91bb6cdc
SHA256 5fed103cc2a5f52c800e7bd74408484415932e834f08a0e72cec67acd43f47eb
SHA512 58a0f550f79924a2b2249de6465ca668e8489d22599a14c8d87352669ff14e1d8a190ae25469135c450f872acc202bae58683d0bc1e4605e5078608e9801a047