Malware Analysis Report

2025-03-15 08:26

Sample ID 241020-ynyf2axcjb
Target 9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N
SHA256 9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45

Threat Level: Likely malicious

The file 9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (283) files with added filename extension

Renames multiple (4531) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:56

Reported

2024-10-20 19:58

Platform

win7-20241010-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe"

Signatures

Renames multiple (283) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\pa-in.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe

"C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe"

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 3995b88706668e3db351780a1ef4ccc9
SHA1 5155e47401c34a1fbb2920a0fbb8eb15c1722c9c
SHA256 1a9cf4e3c36cea3a4c301cc195c71ceec096993eb5f178817cb67b5a2506b102
SHA512 6698971da84fba604dddf39e3db0b167aa8891fbac24bf073578ead0345860f9a520ad655dfcb28199f2e37b49ed86f165f84113d9784547220d19e7e9f216a7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 285b115bf823528f31173ef9f1a2ebab
SHA1 3b69bbce56783e05a9c9197438149996a38859ce
SHA256 5e7c13c546255fcc115e5066fe010a86d40f48b0016099a298d7a05ce957f1f9
SHA512 1495acdaef88c8c05116acaff663b1e6770848d2d6f2b505b1ef67e9747ef9a87bca6cb844beada321be11d90c75e37f697f8b0b020dc89a30aa13d6fee683a6

memory/2208-18-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:56

Reported

2024-10-20 19:58

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe"

Signatures

Renames multiple (4531) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe

"C:\Users\Admin\AppData\Local\Temp\9ec9a1c74f34854a3c00e646dad6703181ec38bb749f7766537e4cf88f27fd45N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/620-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 a4c629ceed4003b5628add464e3d9182
SHA1 8ee3cc3e59fafce74146cc29ff435690d9a0b244
SHA256 dbec2e321b8f1a6ded03e105b2fcd2631e71394f6c1d09363366a47bcdd291d5
SHA512 6301e6af62fa5cb0e47b6df6badc01b448d8a6b5d9f2c7336358971b73414f2c83020974691307b51bfa819da6a07170c5357c386dc18c00cac55bb234cdaad4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 de91e733608cd2e327f2b3d109d08aa1
SHA1 212da7d9c7dc593490e25dc1110c0c86cd1dffce
SHA256 8757b700d2c0695e0cf042eecf689dc8e9f52b07d5e452d856df3805189abf92
SHA512 780a27c06e1cacffda49da3b92525068da053081b122794b731a46e3c053157c1e64726e6fe5ee3fdb7ae38550594f95a480ceedbd600d4594b1ae95dde410bd

memory/620-659-0x0000000000400000-0x000000000040A000-memory.dmp