Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-bwgrxs1cjb
Target f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N
SHA256 f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38

Threat Level: Likely malicious

The file f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3057) files with added filename extension

Renames multiple (4370) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:29

Reported

2024-10-20 01:31

Platform

win7-20240729-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe"

Signatures

Renames multiple (3057) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Havana.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Internet Explorer\perf_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\WET.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe

"C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe"

Network

N/A

Files

memory/2120-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 262cd5de93ffda1ef48a80f975843a01
SHA1 d4eaca07b1f3fb4e98a4cb2a3a0e5404621fb70b
SHA256 1ab0a17ad918677c99d027f11aed20e4d84ca557bff0aa544e12c6ed3bb15bf1
SHA512 c5036d5189cc55ce372335b7bab2b1fed3f7cb9c202e3adfa41b6fe110020fd1bb2615feab645be8acef98bdf0d6676e16d263b28dc25b26b91a8d22bc2fae77

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 05f041ee9e3889feff07263a95bcf28f
SHA1 7a6c58c3b3c330db2482619ee728e8d7e451f8ba
SHA256 8bd7d7e88a6223eb651ca8e6670b6c0a886e690fef6a0fd717afc64f55c6b5ef
SHA512 ac7e74c0d5cada7fd8d9984aeb2a9b2e413a61bf2412cc0297d8df9c1f5f5c01305e3272cb1585ab87729c422dda732a52a77e3c87a3cc4c1a3a28b43d49a1f5

memory/2120-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:29

Reported

2024-10-20 01:31

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe"

Signatures

Renames multiple (4370) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre-1.8\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe

"C:\Users\Admin\AppData\Local\Temp\f1e62a6ab8b591619a5ccd37413fe424fea58ef4ace810e772620f27ff0fde38N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3148-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 7b5fbfd9d972feb0b761ba641472a6a2
SHA1 64f6777233a054994b1453b90cc60f933975f059
SHA256 0bdef094d115f3d0ae26a8a710ace986f008a51e0536fafe11c2f8acb13bb432
SHA512 7c9598b0ded3f290ded85564f90701e2b32665a169ad18c94aaa02d60dcdb525e4c0d2b6cdfcfa42ce851a3961111447e5fcfa04f9e462491b5e492cc89dcd7d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c10003db274d40bcdce1f24253b18b92
SHA1 8ca561a3d43b2ae84a6accc5a0b04fbd07b675b2
SHA256 7d2ba15ce8fd40f2741fa615efca8506efc32aa763e80aa9030fe297d2ebba88
SHA512 8864826671c1b65d3462bc56d81b6c2e4bf15170699f71cf4876e5aa634af211d0d3b8a9fdd37e865dbab5a0bd34a635c4a04102e9b4561ba75fc6b5979eab8d

memory/3148-660-0x0000000000400000-0x000000000040B000-memory.dmp