Malware Analysis Report

2024-12-07 10:03

Sample ID 241113-257b2s1erj
Target 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777
SHA256 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777

Threat Level: Likely malicious

The file 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (1169) files with added filename extension

Renames multiple (5011) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:10

Reported

2024-11-13 23:13

Platform

win7-20241010-en

Max time kernel

150s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Signatures

Renames multiple (1169) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Network

N/A

Files

memory/2580-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 59c71083c1c3b96bd97d14dc1c6f8c42
SHA1 539b50e6c8b72dcf90d69bfd6eec879ff4e2984f
SHA256 e89c9fe4919b97dc2058ae65e5989d62f5a7132401aa467155bcb24e38d2c08f
SHA512 09ccb58b86a4597b3085a57604179e01c36fa1e718634d82462a3069f1ae8571cf72fdaa21fde67619f49d9f06fd20aff8f8ed95e3ad9de7a64d38a42bf3e904

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 7d24890a075c3e0c71acb572dcf28423
SHA1 7dfdbec434622c6fc414aabef965d6e41be31c1c
SHA256 3abb1c5f051d129bfa05927f74dd2e4404ca9f5c93b6c79fc977693a02b69fef
SHA512 b8127e17e3637a3bc0ac5de44d2b1ccf619f1e32ac08fc2cce162f6cecd41f73f44003c6a915810f47ff30542421dec71b90a37d2b6690a8543bb9300d610e35

memory/2580-26-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:10

Reported

2024-11-13 23:13

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Signatures

Renames multiple (5011) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3476-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 7ee89ccbb57ac08dbc64c0bc41ab7901
SHA1 729c79fcf0a35ba0c4388c8d2380373d5e9cb56a
SHA256 e330c06190c9a25088695587167304d8b7de4b27784fc973164ad249d0760421
SHA512 6e0e8e7641530c365aeac6cae702bdceda9aa78b15d86e59827c5495527dc78eb56c9251dee0a20d87a2c6f0c6b708861c874bee6fb64ce89775092459f6b870

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1c79c0d5ea22e8d085463a240592863a
SHA1 e77a6235d5ed19c1b08de9db53623f9ceaaf006d
SHA256 0f6a45eee980aab2171220b0db5eb1b9a85b28de10f85823298cb521ee5a4743
SHA512 b80fc26c79c73de58d912264bc67c26065db7dd8146cfa5b112ec98b395ffe53f0399da8eb78db56ee7e95800fc37a0ece0ca0d99de13858c659c5bec6673b2a

memory/3476-660-0x0000000000400000-0x000000000040A000-memory.dmp