Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zxpqxssgkc
Target f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN
SHA256 f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440e

Threat Level: Likely malicious

The file f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3208) files with added filename extension

Renames multiple (4584) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:06

Reported

2024-10-16 21:08

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe"

Signatures

Renames multiple (3208) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Menominee.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe

"C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe"

Network

N/A

Files

memory/2128-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 2febce192af448fd4a5b227a70e54622
SHA1 b3875bd125f05e1ad2dd80d77dde04ba328883e6
SHA256 78689893a5c98fd4ea93174d0081879858a5b031bc73f80fc4b0b0263633f517
SHA512 a7c580ab08deb05d4f7f87e5b6faf5b931193ea0dc4599574047ba07b26fb021fa1cbf8687dcab00f33826f86b7169d6299c8f73e26fe1daa36586bd054ac28f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0737378d1b9a5575e7194f55dc3a1a96
SHA1 3f7185cdf515439d942da1ddee70269751a4a598
SHA256 355dedb7edb1e71759b0937fa12ad4bbef912a8aec0b77b2b039269df9bb3e7e
SHA512 0d45a9695c0faf7203e40af8e4e435543b07fb5a207fb76f1fa17c5d256958850a3ee139d50884421afb899a360206ab8797fff02ffed6f5228f970886263b3b

memory/2128-71-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:06

Reported

2024-10-16 21:08

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe"

Signatures

Renames multiple (4584) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe

"C:\Users\Admin\AppData\Local\Temp\f076001c186ec0b98525237e25947f8ce79790f36b7854df669d4a569ff4440eN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1244-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 25ba6f6ae7039d33d533073b77522d4a
SHA1 ab0064854599ae329bd8b20f837aeb5e95b2093d
SHA256 08197a89957beec15046092a1982d67a4506fef0d0e1cdc8b4a24b7fddf96595
SHA512 8eb9dcbf16673be53fc217c7071319ed713864cfbbfc3aebaebf4b2e7ad53186f05679ae525773370f5cec3969698d197af550f1b122c73fa7f3ea5579389be1

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8396a186a996ddc5b01b9cd628df4e12
SHA1 2c179f8db6a23f06ccae4fdef8ebd3008ee73b36
SHA256 e749388df11fccd7e1ef9f0ab98c5dbc1ea6f949d8967ecbaf51071f1ec28c96
SHA512 b00b5c00561204813a314d802dba853ee6e141af27d6e2092bfde0991e9199608d7fa33750d753bd90c0515af09e95676ab52be1ce3986ccfd023263ddcfb1cc

memory/1244-664-0x0000000000400000-0x000000000040A000-memory.dmp