Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-ej7pcs1gme
Target f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N
SHA256 f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73

Threat Level: Likely malicious

The file f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4652) files with added filename extension

Renames multiple (3237) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:59

Reported

2024-10-16 04:01

Platform

win7-20240729-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Signatures

Renames multiple (3237) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Berlin.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ffef7e709c4d3f69fa38dae356e13ea6
SHA1 239e5e832a5a056d1c9555b50ddce91ebe6a8060
SHA256 69cf266e1849ece6e73521ab074c5d268322f8c12dc14bd905ac823c5b633036
SHA512 bf5fdc3ec2d6a3fa4b875cf82247ef03228bd0c8300fa3d4110ac3d3941c40e957144772a61f932d84a92ce40f650ce4686469ee6a718a6ad9dfcd77adb247d8

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 b97ff6560f5668725fb6144707069655
SHA1 9efd6d8c432613676f83adf7a2cb5b41b731a20f
SHA256 7dde07cee90a1e5af895b343c3448be78682bfb94093cd7ad44b722ccbaac295
SHA512 8b935271c3d6f5c1da29a7d544e20c616ee49d34fd6af904d8ae261c8c1f12085c1dd8cc17a0f6a70d56617417b0e619d6ce50548dd19bb828f49e9801de4610

memory/2008-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2008-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:59

Reported

2024-10-16 04:01

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Signatures

Renames multiple (4652) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe

"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4428-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 3e24a2ed770abb38dc2cade666b4d914
SHA1 38223cd4279bed7ee6e12002b8141748b449f48f
SHA256 b815e04c58152c1eb8ce70434bf92ac45849b0a899b258d16fe2e4e75376b75a
SHA512 020373d2cea3046b7d110fc11e65fbe075916fe3eae3bd572101028950bf87b6ccc03c56ee7bd35af3f73b86e8e3794334918759b46b22db8f825966306c3234

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 72d9aef172eab5d9939bee3be8b621ab
SHA1 919daffd0c0ccda5431ae3b9fe653aebdb72cf9d
SHA256 8d333eb5c2385cc4b634040fcedefcb5ea3c723fcb94f03d6ee5c149d28eb4fe
SHA512 48df998b53559ef2c5c2f6a7db2b878d2540be0acecdca103074ac788b07681adf2937e17c1584f8f85e71a3b4a2997a1b7a31cecc8d3bfaed3e0b4a747c8a30

memory/4428-650-0x0000000000400000-0x000000000040B000-memory.dmp