Malware Analysis Report

2025-01-22 19:58

Sample ID 241016-wa9wsswgpk
Target 4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN
SHA256 4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034a

Threat Level: Likely malicious

The file 4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3029) files with added filename extension

Renames multiple (4323) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:44

Reported

2024-10-16 17:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe"

Signatures

Renames multiple (3029) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\release.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe

"C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe"

Network

N/A

Files

memory/2072-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 23e2b0fc03105afe7d31903d9684321c
SHA1 901208a095b249ca41f0098390fba5a7bf1f1283
SHA256 313627ca7a5a29206a80638eada782c489c1e9854e2c7b3623793981190f5430
SHA512 337bffb2ff26892d5ddfc29f6596fa105b418ed5f68daa37c2350ab5c1455294a08d83042b2707e293c4d2d0ff6ca5e6b3082dc2cbdad8c6a4c8616a2896c5da

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a07a129aedff65dd888b42be64bb2658
SHA1 7c2f57b4972f3cca5260c2ac3d6cdfaa2806f6a1
SHA256 4fe1d32cd50554713ddb9d33f84fcfd3066624597698ead3df656ac93d9c3c5d
SHA512 d8106c9877d9c1f628fe7dc8f5e9fb2a815d80e71ab80df297bef9cac6e0c81e4d10d5d7d23c4e78beefb35de06294b27c8774f1e540579eae37748e966eea2e

memory/2072-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:44

Reported

2024-10-16 17:46

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe"

Signatures

Renames multiple (4323) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe

"C:\Users\Admin\AppData\Local\Temp\4f63ad5c50a5b99c97a661109f13ab424f55b693478a151e02d0009b4c61034aN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/712-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 700397ac0d5b86998eb2897da7d64a86
SHA1 5a800106cd452becb7a675e6e25a1e724cda83ca
SHA256 e643cb70724a3517660fc2b3a5cd3f6424fbae07d72b93be5dbae076f99f5e91
SHA512 b5d7074911911f16f0eb27f0a53daacb6ed9de86b7ada6b07322f625e25703cbe0945b9f1096095cbf95a03c072d2e21aa0dbd0303f486acc208df350c56fbd4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 525981ec0f25228a6a29f4c60febfff4
SHA1 0cdbf984eafcdb28e9cae7b184235ff72654d16b
SHA256 e05071b8e54c70c57b7f9bf44b6931677bdd1d68307642c12b1d5153f079484e
SHA512 be1c78b89c8863afd032d36222d865cdb769b091e589b3229f25f193bc63976b1464ea7009cdd0ae73102201a0ca75d088590c28f715681f3c212cd66f77e2b7

memory/712-696-0x0000000000400000-0x000000000040B000-memory.dmp