Malware Analysis Report

2025-03-15 08:14

Sample ID 241016-fwd39ayckn
Target c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a
SHA256 c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a

Threat Level: Likely malicious

The file c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4858) files with added filename extension

Renames multiple (3438) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:13

Reported

2024-10-16 05:15

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Signatures

Renames multiple (3438) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\WMPDMCCore.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\bin\jpeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Internet Explorer\Timeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Network

N/A

Files

memory/2648-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 f47e6cf707e9e5e9d6b2a07da9b83246
SHA1 64c8273d898881a81ec9f17d10fc4cb1e326d256
SHA256 4d43832a1de56ddd59ae93021013126d3a290095a1aae2f960939243a91d8774
SHA512 4e10a158802303b4cc67ae05193c044f862ff3755d086fceb0188abc154c0962753263cf10a1598370ad5d988ebcefbba76aa9167d9df7f1fba322370fcbf95a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f7021e263cba786ddc2e61fbb64392c7
SHA1 7b02e0a047fee493a0c7e8abc8f530e5ba4c97f9
SHA256 0e5b107608a73fc25bedfbd3cc0db596469a7b9ffa47ca6e27895c1fb1efc1a8
SHA512 d4f21ffd118b09476f7f055443ffa42828611c872eb0c6341f0019f515f8bab29bc3bf68b23090823f76493012dfb779dc860f8ff792bf3a4741a8f58d068f5a

memory/2648-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:13

Reported

2024-10-16 05:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Signatures

Renames multiple (4858) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe

"C:\Users\Admin\AppData\Local\Temp\c78e6e8fb651e31c9abfc5a5a6cb2c69287bdcd3b6515c7bb63ebb1ecf519a8a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3196-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 3f5cef2e3187b962bd1e6e1feaaf7ce6
SHA1 348eed715f3b9ab8fb99eabbbce73be8c9f690eb
SHA256 ace93ed202e796c5d54f572db1d6079be5ad76f411b9a4da8747edc89123ab26
SHA512 2f002d4f339313f8c9b1f83a63758d764401b7777e77a2ce8f92a0b62f4c11ab5782da9dd74faff7c7415a1ed658bfe01426f8ab138730ea16e968af66941ca1

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 be8d984d9b7aaa03ef67c197cc748ae2
SHA1 78931ce29f002be14e03f3fbd459b10fbb27cf3a
SHA256 f4599f48baad369f6736448deff86ca022f0185f87b87d49140f5cca674ae93e
SHA512 ed586c5cc768531ea8c3d4f73d23090d6c859e0a3e2c653f12623a903878e1f717ac59e938f4a7a5a5a26401e88b593a41e40e318c7e76d0b02e371bbeb6c8ba

memory/3196-660-0x0000000000400000-0x000000000040B000-memory.dmp