Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-alg49sterm
Target 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe
SHA256 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948

Threat Level: Likely malicious

The file 6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4646) files with added filename extension

Renames multiple (483) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 00:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 00:17

Reported

2024-11-13 00:19

Platform

win7-20241010-en

Max time kernel

119s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Signatures

Renames multiple (483) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Network

N/A

Files

memory/2460-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 856cd581a90fa45ec236614d1387880c
SHA1 8e2c6bec4605d6cfe9f1e0bf1c98851d9223b09b
SHA256 f5a7ec0dd6f84ca7ec17d302f757db17a53db982ae10c95a264902997828af40
SHA512 30bd9f870e916d42a8fb184c027eb2170a75089aa62cadb7390be17713dab947a347540d27362a6aeff00d763a7f9de3dce347e10e23b97ba2467aee11b8d5fa

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 378f2e505eb5db38e6511808584938c3
SHA1 a69c71e976815bfe7d6533453c2858ccbfccf8c5
SHA256 1a38d191c931fc0ec2769b59c5f8095f5ac74fec2a25d765788daaad9f5570e4
SHA512 2c140e0cf8f75843170de9322b6e594e49f9466dbe87e53a0da7a360f458b95368013b0f455438e192ffbc6d843a8f64189bae989c03923a758a7c6ac4cdbe4c

memory/2460-26-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 00:17

Reported

2024-11-13 00:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Signatures

Renames multiple (4646) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe

"C:\Users\Admin\AppData\Local\Temp\6ff029ad787a69dca7484d57eda1d58a60c69d6b08c4e140bbf1281f60199948.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/964-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 833f729d1b2e652e2d027331594888d2
SHA1 7e2998d00cfaaadce4f2adbbb5082ae37fcf5373
SHA256 c47d36f328a834250a97d6080cc8c8b28eed9e3d24a7f6624300c6b2e35eb85c
SHA512 ec7ae223e6711cc51e455ea851ff74893f4d7456db0ae83a001bb0419efa0ff20efea96d77e8789159e6d8b197cd762d45609cd262bdde8a268b0dba76cd7764

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 dc8c3c25165d7c87f872231865a1b4dd
SHA1 4daf1f4e4dd2d5f8d24f4b8d9931dafb5b4f878a
SHA256 327fce158aae013d6524e8f9b69010564b5d92194fd2aa5048dc3707110cccfd
SHA512 ca9d777617c2085bfb7deba3d9b04c2823052567fb4f811ffa387fccd69e0c67eb882e468de8c9fa74622a6b01726cfbbd87fe305f514ee993fa4d940001eaf8

memory/964-785-0x0000000000400000-0x000000000040A000-memory.dmp