Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-g1hsns1cnr
Target def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8
SHA256 def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8

Threat Level: Likely malicious

The file def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3935) files with added filename extension

Renames multiple (5192) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:16

Reported

2024-10-16 06:18

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Signatures

Renames multiple (3935) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnscfg.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\BASMLA.XSL.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Network

N/A

Files

memory/2436-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 c0fe042c85fc67a087225ac05399e406
SHA1 56cedaed6d7bb424d4cb3d040ebb1f71d3433324
SHA256 88a61b61aa681c0cac3e4b56114f7fc94bf86f43e7103961c053226fb85a14f3
SHA512 01b345e378cd76df0fdc01e1a572f45b90bde44806bcb4944b9e2bb18c2c990b7c73b3648d3ce10ede6a4f0024555dc79c81b49feff770c357099101e6e0c0bd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 7d9b89940fa9a586fed8d3b7732c31d1
SHA1 2924bdbbb0397793850cb4843f25bb23c54dada9
SHA256 85c071de1f60716a57640427521cf97db782d7a32357005358b5e01d598cdef4
SHA512 67a96abee20ef63d3c94088135baaf5a7664de26938d06ac7691d4350cf478f6209fc3c3e5f99fbcb8f68716ed6074943792d3e440a323f0b63534204b079527

memory/2436-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:16

Reported

2024-10-16 06:18

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Signatures

Renames multiple (5192) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackLetter.dotx.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1944-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 f93904288e84d8aeaebc80cc14bf5f69
SHA1 de1f68921ba8889e8f06c385792bbfd72d863a22
SHA256 09a0ce446072bb6a0ada5e1e28643e1717eed90a611e410740c2ec059a07f563
SHA512 d7edbe207c185f106c2312929492caf3fef1e4cc0d14fe3c223c0a12452740eb037309e637bf56d5ba6b38ba0cd33e8aefa01f57cde2f9d67912cf548b4f1a0b

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 55785cc8b1ef8aa91f1c207b8b1dcffc
SHA1 83e30136a8c8692389512c0fc18155121b8ca02e
SHA256 c7e8197bc103d2601323f125207d5712b9c4e4ace0b67a96dd711da1e557461d
SHA512 d521492aa0dbafd28d289e318721b4de651dc1532c740129222256fe58fef982945d58915fc39664428ff50e64b356069aa69c386ec82fa5f635bdeff71910e0

memory/1944-788-0x0000000000400000-0x000000000040B000-memory.dmp