Malware Analysis Report

2025-03-15 08:16

Sample ID 241016-ebyfqa1crh
Target f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N
SHA256 f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73

Threat Level: Likely malicious

The file f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (2592) files with added filename extension

Renames multiple (3379) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:46

Reported

2024-10-16 03:48

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Signatures

Renames multiple (2592) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\HST.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Curacao.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 9d529dd31421a3c63ec56b88d32ebf22
SHA1 208f5bef4abeb8f3ff0f935a13742e7856701a7c
SHA256 9973c93617c8ab6e5ee47f467c38683e0aa42fec7478ba480b3a4276be7ce673
SHA512 9701af27d4aba7d22edffff48f1428b1b9076a35b292ef0c431b6471219162fe00434fcb7ec0ec802dc738cfce8ce96b99f2db9adce9a37f8fc3bbf88e920dc9

memory/1964-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 499e0fa21bf8d9c2dda6878abe9f2646
SHA1 48816b441500d74efea6730dff64e81c629d51e6
SHA256 a8bddd803e196c0271eea39a040070ef5d9a5e1fac8a11195261f4f807864050
SHA512 a4b222bdafa6f6717f9cccac2a1d6474ce9c600e59e9e9d3e97014f0fec7735d3af44c7e1ba7c8e789bcf00a6bb2337e11141caa8790d0a11f99de74bfce0b04

memory/1964-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:46

Reported

2024-10-16 03:48

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Signatures

Renames multiple (3379) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 8a2619aebf896b37173e7f3fad25aa23
SHA1 95dc752797db7640adbedd9749a1af9851e86d4e
SHA256 f5de1035b26cd509da72a08b18e332501f8362939acd0096fe11829a276dbbb9
SHA512 23a108c3cce4d558b3a35851e8de42f5b392c004e29eb938b5201475e114d98455c560623a62533a3847e7894149f2e6371121b49785fdb27bd9c752c198d5c8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 611b5fba281ca6dfbd337e6500c8751a
SHA1 371342cfe9cc537d8a9ddf906efebc8014a16502
SHA256 f9f012f1539d8eb14c9d75786d6f69dfcdf80ce240a834276e9fe81787daa9fb
SHA512 afd821d3c9f0349434f7f9ce26fd1d91a3c2ef977ae3f2aa229776a316a805a3a27ae10029040060780a94ab465a5847ec3a815f7dd067d22c2c26f1f633012f

memory/2128-638-0x0000000000400000-0x000000000040B000-memory.dmp