Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-cxxefavhnk
Target d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a
SHA256 d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a

Threat Level: Likely malicious

The file d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5009) files with added filename extension

Renames multiple (3743) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:27

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:27

Reported

2024-10-20 02:30

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe"

Signatures

Renames multiple (3743) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Mozilla Firefox\notificationserver.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\VideoLAN\VLC\NEWS.txt.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.exe.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\bin\management.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\RequestConvertTo.001.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre7\bin\deploy.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Portable Devices\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe

"C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe"

Network

N/A

Files

memory/764-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 371f9ee5cd1d40bef6218ba95d378595
SHA1 8a508ecebd2b6d25f62d24345c01fcdd44b2e8e0
SHA256 7bba35b8ec5cf8113953da8e09c0103e387113555d8b4b41b3cb48e8a04fdf35
SHA512 ab2694f3be05201eb3b7939190bea068b5886118bd1bf690fd9ec5497697df472d0ca37628fb016a23bf0e096afb7b144f752cd6b36c00d2f78d8f38363792c5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 85c54a5b5f6756ecc5e75f4cfeb7451b
SHA1 536758a8ef47aaa38535af62d10c5b1d3a633f56
SHA256 8cb4cf85d8e849085ef9c71c6aa5500931eb0c0e944370952c5027340022f995
SHA512 4a8c15123a21aade9c2ba618cbf4897eea4cfc75994646a807645a64d3bb58775c0e702b184c439259aa8f42b8d568175e738fa2ddbe81d974ee9917407d7d4d

memory/764-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:27

Reported

2024-10-20 02:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe"

Signatures

Renames multiple (5009) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe

"C:\Users\Admin\AppData\Local\Temp\d4f9cf6ba03b172f15d8a9a6b02038700384055ff0377cd7162e7a479acbb82a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4836-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 960f62eb6b34342ff6e82a6a05b3900f
SHA1 4f205afc9dbf01b5ab87dff49e39534ee6c32d7a
SHA256 0d9762bd3de73857efbb3e51bb2f2317f58eace94df926b1689e3fa7e8006301
SHA512 1fcdf39b7c2e763bb2095cf1f41e05e730ca29343aef91ff52df212d5034ed76f470320cc27ad23639f023d8adef32bcc43510f611c950ca4fb7a5795871ecd0

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b2fdf945a40a5648523307c7207cee72
SHA1 b7bc5c09a56235896bce7a60a29e37e7bfbb9757
SHA256 2fecccea679fd1a12b10d78324755a01ff9a35b83df1e4c0306d0868154e0a9d
SHA512 5f932a650356382b01cbf69bc0727af90c7b3a77dd77c0d63e6b7995d60b015f4f4e758052bd7edaa426ae2e11cec1b40491b9488540ff67fbaca3760bc76607

memory/4836-664-0x0000000000400000-0x000000000040A000-memory.dmp