Malware Analysis Report

2025-01-22 20:35

Sample ID 241019-165deathnm
Target 6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN
SHA256 6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934af
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934af

Threat Level: Likely malicious

The file 6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3082) files with added filename extension

Renames multiple (4618) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 22:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 22:16

Reported

2024-10-19 22:18

Platform

win7-20240708-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe"

Signatures

Renames multiple (3082) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\soniccolorconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Internet Explorer\Timeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe

"C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe"

Network

N/A

Files

memory/1292-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 c216148d7bcd010cd8a1a0e9d9b7d2b1
SHA1 b96e661a4b8e1b13d7c8a516d6dc1d7dc17ca028
SHA256 e8f2072e9ba2810188375ee2de76b6f6028735f8ed421f6503828ba1fb34db87
SHA512 8534c6a72905e0fc5e6a8fd4ac8c31ed8eb1f18ec512cceaa458de6ac43e9484336e927c56a048cc9b9941380248d13f8dfc63263a53fbf63e2cf4bddc7f34c9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f60d8bdcd878d631287aabc8e8a5a5d2
SHA1 7fa9f6c9ec87d6f7dd8f6ecb0226737b25303b8f
SHA256 d1835ece4a8f5ad74bd2b8a67f3f6e0208b52095b7bdfee3931f3c4632b7f66f
SHA512 2cb1f3570316f3487cbca03348f10e703188fd878f0a798d81c90d69671db3d664d8ba2d401097cbcc5bc05361b4903945d3253568e59e17e2a1861adbb6e015

memory/1292-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 22:16

Reported

2024-10-19 22:18

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe"

Signatures

Renames multiple (4618) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe

"C:\Users\Admin\AppData\Local\Temp\6501dd033703302a8fbbb802020cf48d1594376d65dea71834ec12e5433934afN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3160-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 8e0688be04acef7f70caa4add10b6a93
SHA1 1db50777446860bc03e8cac367fc452c8fdfe9f2
SHA256 f5da432bcff22b438d5e8a8389cac051fddb69065947a03cd109f1a11ff1ee16
SHA512 ce4b34b5819c507b8e946ef30a1c5586102ed22bfa854906f876631dada9a8ece123ae9bd442218c30230e3f3af864d28d686b94f947215873c03ed8ef9b9634

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9a9e95e84287b98611fa2b39c0bc943e
SHA1 cdd028d01ca55b1ba99e66f5d14d4ed472a8a507
SHA256 2ae010083a1c630d1439179b0e409208598310b43dcd36e9c68d3d34d4676976
SHA512 a784f5407118d99888bb4d64df955ab3a1399d7debe2b1cbfb2b8b08502808f9f37a824a44954220467e3496a9754c230fa8254e60f1c03a87022d93ef119672

memory/3160-702-0x0000000000400000-0x000000000040B000-memory.dmp