Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-w1q7davarg
Target d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N
SHA256 d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72

Threat Level: Likely malicious

The file d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (319) files with added filename extension

Renames multiple (4423) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:23

Reported

2024-10-16 18:25

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe"

Signatures

Renames multiple (319) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe

"C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe"

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 a7d528ea766f6a62c7256dc48c85240c
SHA1 3fc134817698567ab35d0cda599fb4f7afd6ad26
SHA256 3f2c16e863428404cd10386dd41ac5e4f9e60a12577e1e9444707eb724764c83
SHA512 2e55b532a4e375ca1b7bee44a7221f6c3acfac96f32dcb2959bd7546675e45a1fc0e0aadf8858b93a427f194c187970d66fee778a23358a30e53381d4c2a9924

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2ac594fb308e4754d24f1a2432e228e3
SHA1 1f6a12128fe00276aedf2141a58eb9f37997dbab
SHA256 d7b632aa65f5e6411e73cc3c02434a93fb43bcd42c978cae969e0ecd3e80a66a
SHA512 8a6a72c8f006bc442834df14da8cd0edca27d3f270c29c623706ed6ba1205076d514b0066a70b8cd276ef3a823a077b7891f23d17bd0c01db620df6cb13e94e7

memory/2248-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:23

Reported

2024-10-16 18:25

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe"

Signatures

Renames multiple (4423) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe

"C:\Users\Admin\AppData\Local\Temp\d2cee998a3dc4cdb299a99a4165e15cbda2d8ba7cf5cb7e1faa743250fae0e72N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4788-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 f25ad5b486a2e9e552c6d3bbe9b544bd
SHA1 2a88bc51e4dbf13d70f33edf36bc83bc8a9dbc8b
SHA256 5c1210848e61f9108ab3e2880f23e8cd88f3cd8385d0a7401b8c6d863af3726d
SHA512 0835ad36d980b6a4d29d04b4fb9ceb24fd7a27ceec890ef719e9305a3cb8b6efba0daf98740d110b07d7c3ebed945c03bba3eacd575dde11036b3a753792683e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2a64285dce9db9ae80678186840cc60b
SHA1 c82023321b3bd5633d9ddb158b02300e0ba4b583
SHA256 873e66e55db977e081bb4030c85c3e6484eec37261107bf1259c62857bfe3637
SHA512 95dab61703f0ed1aa50608c7185c4f75df1e2cee0fca39be5024049354d6294a52f39e76341ec47739cf75eaf725c80be9a5060d2cb22ff3cb3f28cd192d48b7

memory/4788-784-0x0000000000400000-0x000000000040B000-memory.dmp