Malware Analysis Report

2025-01-22 20:14

Sample ID 241019-zkklfazenj
Target 637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN
SHA256 637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdff
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdff

Threat Level: Likely malicious

The file 637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (592) files with added filename extension

Renames multiple (5022) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:46

Reported

2024-10-19 20:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe"

Signatures

Renames multiple (5022) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe

"C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/3200-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 40fed5aa6129d18220e907346e30b174
SHA1 28edeb21053e2c7ddc167c018f0e00dad6db356f
SHA256 aee0eb9df20ed023402d05ef4682cf658b937ab5536fb3646332b239608fab50
SHA512 549a1f6c7ca197e23b129f38a542b132e177e88ae5596cf9bf40ce75964f35f8abc1ab07c15f833d96caa8bdfcd5e32531b823324e4aa110932ec86195a5350a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 789746268a0e17181d2c4362fa4acf37
SHA1 c4f0760bf1e7e1992a3c3629b484e69293299e8e
SHA256 30f9e02531e2ebf85b0471b050a9820666438a2acb72578e277543c988a739c9
SHA512 da08f36c98db4a918bc4d2924fb8b943d2d7a2a7f3a76fa729d0311cf04c6a0920746eff5a8e9234df222dd2ce27ab4d12d8aab56ccd91cb2cf0506e1f981125

memory/3200-664-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:46

Reported

2024-10-19 20:49

Platform

win7-20241010-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe"

Signatures

Renames multiple (592) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\GroupBlock.emz.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe

"C:\Users\Admin\AppData\Local\Temp\637d8d89e7741348896143b14a3b5facf750a4cda4fe2de1d8ee32869497bdffN.exe"

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 348cf4bbb206af876649bd603ce18aeb
SHA1 3f83819c7db953e0711ebc69679bc2e345474e67
SHA256 4d4fcee61af8681312b3d308cd0c36edb631d322aff1f56a15183081018d14a8
SHA512 9cc2f8df686943cd838fb7cf6b8401ddffca9691b2cbd8d937659df1d36b692ec8244902b97981925c3886b096b7af33d5aa71e78c1f8384eab655fd844d0b13

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 86225c6fc3f14a77f36596897cd49ecf
SHA1 a4201e88c9a19675017fc0bc60b4c360f9945170
SHA256 a0ec4e98bf1ffab84f2f1bd7ded0637a43cdb32ef3dd44a95bb1651a90c8a971
SHA512 e13964c59150c254d59ede8ba121b1f2d16976ac1e947de24b54c8a6c6a3bb32b35b444b2082d3ce867dbd46c598d64e0e93ea2fb0aced3548a85b39b7f38255

memory/2848-20-0x0000000000400000-0x000000000040B000-memory.dmp