Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-b213ra1enc
Target 68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N
SHA256 68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9

Threat Level: Likely malicious

The file 68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3795) files with added filename extension

Renames multiple (5196) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:39

Reported

2024-10-20 01:41

Platform

win7-20240708-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe"

Signatures

Renames multiple (3795) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\penkor.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\COPYING.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Media Player\WMPDMC.exe.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre7\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe

"C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe"

Network

N/A

Files

memory/2976-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 9352ea659e75b10f271f89cc345f0dc6
SHA1 1d280d7f1be84e7385703f06b2591f2ff7701a43
SHA256 19669553443444b5388b56fc7957d82f8d70a9527f6e81c1bc2f463736b6dfb5
SHA512 fc443fc32f48f0d2e2b4fa2a07e2d5145e5bdeef363b9b57f01f1e9afb583a4c4b23ed274b52a3b59fb2e2d7e55840df782e0e51ed10ef5720232392e8d09a7a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 92f594aba5912f3906ddd6eaa7e83592
SHA1 c34d1d25c49485604eb8e07c972554d2cda7ba25
SHA256 a35a2c73db308864234375254d83815be029ec8e03493f390a21cf0a732d6a92
SHA512 749a7123c12910a0ed7636983fe41911585862679a6d755e6b75096f0d41508ca49c97236ac09e7c3c4a4ab51ac234ddf1be9e0169b1d85ee813ac9c1f723c79

memory/2976-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:39

Reported

2024-10-20 01:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe"

Signatures

Renames multiple (5196) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\DocumentRepository.ico.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe

"C:\Users\Admin\AppData\Local\Temp\68627ee9187ab43c99f8d28d4b888b8f78b2302a350525168b1dd2fac2f60fe9N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/448-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 487a65f3a3bf705c63d4ba6946cd163b
SHA1 346c7b3021a9bf4952bd5a4c871e10ebffd99291
SHA256 34bd6222b67d7ec075d2434f04f0907182ebdaf29146738448d0e7a779ae6d11
SHA512 beb559bbdbd3659231002e4549533adafbd6996c901ea7500ccb2131ba2f2a43f7607e1996936e1665d52f68d4838155a84a66299695470c9b12d27ce69a32e2

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b37221089c11c56abac6178735504dc9
SHA1 814ed5ce5b293a7a6b1cb6c9aefd2aafa23d1141
SHA256 e3521509214c78ca9392754c03d5cfe8ecd29b97b1585bd95b5332941692756d
SHA512 068032a37ddc27a58e58b87f2975e46056b41464561d369e5cf84e0e5c6dbfb4ac29b56ea00b69f0c66b9611dcdcaed8865a48556e227e6a4951e6fd5ea82d2e

memory/448-765-0x0000000000400000-0x000000000040A000-memory.dmp