Malware Analysis Report

2025-01-22 20:14

Sample ID 241016-1ge28athpd
Target 660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc
SHA256 660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc

Threat Level: Likely malicious

The file 660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5026) files with added filename extension

Renames multiple (3561) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:37

Reported

2024-10-16 21:39

Platform

win7-20240708-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe"

Signatures

Renames multiple (3561) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\SetSuspend.vsw.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CET.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Defender\MsMpCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Mozilla Firefox\application.ini.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre7\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe

"C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe"

Network

N/A

Files

memory/1644-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 cb2b0965b075db61875f6a35d9a4cea7
SHA1 b4e36299b98cfdccd87b82536b9dda978a5aea4c
SHA256 9a70dd9476258ff34bc5754185dca62678aa4923288f1c51fa7ade0092d0cb44
SHA512 3956108f87e0bc35632540f21f2040f5b7e17c8a1387a442b7897a2b332212aad0d579d5d230d831d064032e418011cd7d726d67e6fb7945a85f44823f093657

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 9eb1cc8026d0f70785d91fed2b3c8dab
SHA1 40ad9c43e1ca8dfbd873c14c4d7cf8ff38a0bce5
SHA256 7b08c772299cbfd094f91c99794e8f86d19754a8cbb082d1153d08c9721b1d47
SHA512 c4a6196c6cba62124315dad5809e6ff20c0ab0740f3e6043130f3911442d04d206fc13d2b45a482b284279f4aa7e2a882a7094aa3178b8d12d2e55300d8a861c

memory/1644-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:37

Reported

2024-10-16 21:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe"

Signatures

Renames multiple (5026) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe

"C:\Users\Admin\AppData\Local\Temp\660c7ec4a73d20ee7689cbd27b888bc8863981f0316982380009dbdba923cbbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4728-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 779c0b3510bba5183c3b4b58f0c9764d
SHA1 c428b7206c26571b8d71317da93038d488196ade
SHA256 2501a3c84fba22105b65361ba24e7a0276058ead6962fd910a302369694ee528
SHA512 82411939597b797fe5b1c0d041e7d049bb177e37f2171eb3815b3413893f1e26c84bb9de82988e3a0792021d428757b340d1be9c15ff9fff223e70153372aacb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e67777aedc34ec85c15a8b1cb48931be
SHA1 4048750df219e6f9d86dddf3758879bca8756856
SHA256 5791a9ec3bffe2233a5a4e0a98dd4853e2efbfa9f3e5d1dfa98a84db02018827
SHA512 87477f647ebe81d12341f0aa4567a61876efb590204d9c3a2503edf56edfcd7b3f590e4f1a32c91fd20ec6ae49a0d4dc3949419482c14a1fbbdd43d903542f17

memory/4728-662-0x0000000000400000-0x000000000040B000-memory.dmp