Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-e9f94ashpc
Target c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9
SHA256 c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9

Threat Level: Likely malicious

The file c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5036) files with added filename extension

Renames multiple (3742) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:38

Reported

2024-10-16 04:40

Platform

win7-20240708-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe"

Signatures

Renames multiple (3742) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\WET.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre7\lib\charsets.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe

"C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe"

Network

N/A

Files

memory/2292-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 5e077483c25f3783507b8d8bd089948a
SHA1 53c3baa2949c0ac7fc6651e715be68db94a00da1
SHA256 feb51caaef46bfe839715055e8f13151bb802322532413d54eb6323b3cde865d
SHA512 cd623ed1e40a29f2216d91ebf2222a2f2d5c34fadd1fa06093f06a5f88179ef50229d041cac51e66896d2aa3fd775a8aa8a0385ed3d1557dc1b286de77b5990e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3772f88f4f65e75c0f0e335b47bc0f85
SHA1 dda1222551b17fd97070f07b08360b5347c7b539
SHA256 6651f7e34a6c194a7199c9bb47de2d36e4d7d482c7f866966726dd21798d223f
SHA512 019cbfbf5056e8fd32ad91d86beff8f9e5495ed317be36ffa2099d32c06f1b1925d2ed9805bacab12a24a90391022f60244458f7fb2dd9de1e32d24cdb47d02e

memory/2292-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:38

Reported

2024-10-16 04:40

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe"

Signatures

Renames multiple (5036) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe

"C:\Users\Admin\AppData\Local\Temp\c51b909fa98e216faed878480a96c0f7da4e54a6c76a460076178a5cb9fe4ec9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/624-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 f79f7482748300cbbee9bf97b3c41fd7
SHA1 d079925e921e980e4b594ac4464690518c3240da
SHA256 16ea7e2b06b10c6aa95f74ea3e02352d0c4c07e8de7c3d297eb06107d85af514
SHA512 0f3da562265d57d0253622ee090dc69fd3fdc3c3e9bcc59a23aa8d2d280cd801a54688e0dbdc8464442496614c6c051d8a8a969072982035758d47fcb30406b4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e488b56fcbc5135fff709a1338339715
SHA1 cb325b8a1b1d12c7cfebb1af90cab511b172ee54
SHA256 617455b326e22b7e6274e3c5effabe696b94711aaa367c5eefee79bfa78e764e
SHA512 d9d9f3d67b7b2d09841aa414af1100255ab55573ed7853f54b37e41bef9fc42364477be91e96c94d9be98de3a663135f92af22487cc8cf19c7304fa47aec3993

memory/624-669-0x0000000000400000-0x000000000040A000-memory.dmp