Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-t8msta1amp
Target fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N
SHA256 fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6

Threat Level: Likely malicious

The file fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (601) files with added filename extension

Renames multiple (5031) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 16:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 16:43

Reported

2024-10-20 16:46

Platform

win7-20241010-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe"

Signatures

Renames multiple (601) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\handler.reg.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Internet Explorer\pdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Internet Explorer\jsdbgui.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe

"C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe"

Network

N/A

Files

memory/2368-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 d9b721b03f6995a59cc7adb0190beef7
SHA1 7ff00e4d62d2ff0edc3016d1312d88d51c67f28d
SHA256 c92c81f8f078ed96ae98890e8109cbe83dfca28f39f063fd561634e590469911
SHA512 2e41b4fb6897049ba32a58a7c6db13f369bce734b61ae8851001c9f3fc4318a49aaf0f5ea0e2995e841b8b866b39b2fdbb43ca368e663712934f70b457253689

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e34621602811b512a1e2897a5ede744f
SHA1 3b0b06230a4856f30438b7b4910843f6078d7778
SHA256 8e556532afbc7cd0845010fae4dcac32c3d7e7384cdfaec33c960cf51236feeb
SHA512 880227d815145f0907337df7f600ad3abd2e25ea83066b83a0b0d41efb04ee8a319884dca25009b9da43b5bb83466af67029a6dead28c0ba4e25e4c9cb482333

memory/2368-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 16:43

Reported

2024-10-20 16:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe"

Signatures

Renames multiple (5031) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Google\Chrome\Application\initial_preferences.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\GroupInvoke.nfo.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe

"C:\Users\Admin\AppData\Local\Temp\fbeca8ebc8c509d6590c03a15970209e874b5485f9b7259b172d93d9c7478aa6N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3556-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 122467527751544197a7c64fa0a07290
SHA1 5d611e18227c53cf549716d920f0aad91589f609
SHA256 7461f82f46c1402549749bbb1cf19555fec2554b37c80aa19fb373222fe37f37
SHA512 0f2d59ac0f7af0e783bd84711b9c2691b6e95dba0fdee310634858091a104c6af5d57613438fb4350f015f859230cafc6401d210078f98ae5ae13b099c9899d5

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 874353207f94b4725986c1f44b5b650a
SHA1 47153e5c65abc414dfb9ca5cb47e0a816554a8ba
SHA256 02b372dcdcb1cf572c14f5726eda4b4ed5870cdff702ee9fd8db367c7e2a9253
SHA512 e64aa8f90ca8e99d487a2a16472d648057561c251b854674d00387dc7faa131235798fc4bcabc7d1e8d2cbcb7b399683bb545d55e7201c0e745011ab9624b8fc

memory/3556-658-0x0000000000400000-0x000000000040B000-memory.dmp