Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-28bpjs1fjq
Target 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777
SHA256 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777

Threat Level: Likely malicious

The file 6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (1242) files with added filename extension

Renames multiple (5070) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:14

Reported

2024-11-13 23:17

Platform

win7-20241010-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Signatures

Renames multiple (1242) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\sonicsptransform.ax.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Network

N/A

Files

memory/1832-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 9dc164a2ab5e4b4eeccadba1dd5470f2
SHA1 9bc4f0c4ca2f135f8b7575655f6d1142e55a95c7
SHA256 cece4575df190f4662a329cace6b5e5740c09bb654b6642ab4b0a8c107ce8e8f
SHA512 4a5032e678d27337dfbdecbdddd1d39addf26f41391abc44c272a93353f8be211adba3ee9b1094a3e23c03b3623746c95c3d3fba004303beb66faaaf2c86b90e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 93564c8d4dce7d824d9ceb7a600ce6cb
SHA1 f5b4b013eab4e926a4b9df422c0bb68b6da9fb04
SHA256 65f8a7e67fa47b475809371420ed067280688f269faa0a63aaa4bc41aeb94483
SHA512 fc55d8bfe1253082d032ee04339486b60fb60bc2bf3485951d71b8761a63611f8f0fa3048bb2507c46c5aa22b4e3e4a10ee3094d4896304ffa7e5e067626cf59

memory/1832-20-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:14

Reported

2024-11-13 23:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Signatures

Renames multiple (5070) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe

"C:\Users\Admin\AppData\Local\Temp\6fcda66368603d4076ad6e93fdfe68107a6fda5a19ac5835fa48a445edff4777.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp

Files

memory/1244-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 229f8f6d91e01f3037f787bbfd4dd29e
SHA1 f764ab39d25ff9b0020f95fc72fa2b402cb73c3f
SHA256 503bc2792cd8eb3bfd54cbe4292424a17c0758f45a33ac19077f0508a0136f7f
SHA512 267eb624630dfe077f34fe3ffa497f73be5b269d08f23ea0330f84232c81395a9081191eb1aef6ae3addb0f14f56b096edcabec52733768d240882185217c28e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2f6f5add3369fcef4b21ee1a203f1135
SHA1 6f17c18141a07d00a5167afd2de2bbec5e8dd1ee
SHA256 7355893859b42ddd9de719eab06bb5f6ee1af72f40a30d23a4f335cd55c23cf9
SHA512 0f359c498bb2cf1c57503c2abebf357dc0689a88aed331e39e0f7d23aae05a959e8dc53a095e07780dd3ca749bfb786d91f3e1a0a3ed776cb38fe170f49fd667

memory/1244-664-0x0000000000400000-0x000000000040A000-memory.dmp