Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-ex3ybswfkr
Target c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N
SHA256 c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4

Threat Level: Likely malicious

The file c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (4421) files with added filename extension

Renames multiple (256) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:20

Reported

2024-10-16 04:22

Platform

win7-20241010-en

Max time kernel

116s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"

Signatures

Renames multiple (256) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\ExitRestore.dxf.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe

"C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"

Network

N/A

Files

memory/3040-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 dd46d51aa122dde79c682b19218e5323
SHA1 7d0b7b71a41d1f3184e371d4f7c670518ad66c94
SHA256 d0949556b7a052d82312b74cefd73eaf778552f93d57073e38ebea2bbb29e2f8
SHA512 cf09f336d6f9842f5473b51a5ceed45bfed3b7d7b89e3d6ae445323e38c7439e6dc8c77fe96a8a252f80354fe788679f0f20179781dfb05106bc0e2815d65c85

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2f86ebc5296e305d924c98997dd2eb14
SHA1 13e436861b87c16cd0dfea92e117863349571c52
SHA256 b13a99f2dcebb40610c0bd7ecd4fb1743bc6b24dbaaf12aaa2587b9d6389471d
SHA512 6e45fde8ce80825c57982e3435fa64c19712d0be77d40279639ed905d8a75d240ab407e94b4cc3df5ff03967ab8e0b89ac82d1190a096a26e0de025d53a8a527

memory/3040-26-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:20

Reported

2024-10-16 04:22

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"

Signatures

Renames multiple (4421) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe

"C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1988-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 1e18d47e8814f572a4b433f75b5c3231
SHA1 7b7ebbead8db10abab77060c278310eed805498b
SHA256 375b6b0c96a9799cb93d92fbdc81d6b91cf963737e88f9669630cad61eea1add
SHA512 f53adf698fc3a5f9bd3cf8eee86de2c8b364a2bd616647ba99c5010cad657aacc7ba2d5a75a2c116e9abe890d610c93b8cee1043c3063f385be1a818e797f7cb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 19d59b9010e56deb84c35ebedd16b2a7
SHA1 de963e51a76f5c669496d4cf70e96df5bf64011b
SHA256 a025f2febf0557a5e7964a19f5a4d712767a2b157b3f49cbb2e5e2d62c636691
SHA512 ca73215e52c77c4a1d592b831cac12a68fb5adaac767c5f6d0b0f662c4bfed845b1902c77cc7b1ed23ec2db7538eae2f0f19c4ea06035d54aeb3d65166fc2628

memory/1988-668-0x0000000000400000-0x000000000040B000-memory.dmp