Malware Analysis Report

2024-12-07 10:04

Sample ID 241113-cvxmestpfz
Target c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635
SHA256 c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635

Threat Level: Likely malicious

The file c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4138) files with added filename extension

Renames multiple (5191) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:24

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:24

Reported

2024-11-13 02:26

Platform

win7-20240708-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe"

Signatures

Renames multiple (4138) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Mozilla Firefox\updater.ini.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre7\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.ELM.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\DVD Maker\Eurosti.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe

"C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe"

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 6cff044f8b4848193ca3893c2c6599ea
SHA1 8db84b7338f3c46f237e30ee44c835294e14552d
SHA256 352d741475eeaab301542aa4d85a47b3408e7462f136d6197109b5d8fa565ef6
SHA512 84cb8779aceb4702c8e58190bc95a77237fc3cfc0a9a2ea9f3bfd4f8f1d7e6c3fe34ab15b6737df5ec3475ff5b22e027c7a0713ddffa56950b9c507728f6d072

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e4847b17a40d67b8ba09f70979ffa254
SHA1 0cde878cd4962cf51ed7f97339f64028a7f69e8e
SHA256 61b9f614f77661234324bb25d771029a13a675dc4efc946c47109c9447520bdd
SHA512 e089c489e5cb27c927d7e12b8d7bf0f522cebf71b2c2ba30f279f774de11fe62d82de0a859a203ffe154b22d959aef6120cd8dac9e775b46d567ba94c4605de8

memory/2080-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:24

Reported

2024-11-13 02:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe"

Signatures

Renames multiple (5191) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe

"C:\Users\Admin\AppData\Local\Temp\c0c5302be71de674f9633df1e2bac92410ffe009ea705af363874646522d6635.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4888-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 caeafed919468e1a3b728377b8b3e96e
SHA1 c835ced5394bfb65b745cbd2d6c479029c05acf5
SHA256 4116d7a7cfd378bc7494adf7a0bc7f9ae832ece5b8e90655593adc454f7371c1
SHA512 3f16e3335f4b31b40701586f935d2680cf67662810e6b5a64584b4a7ecc9add52238aadaeddd059260e0a4a64e3200e247a4f9e6f9fc8aa9f8919f7f43a9bb8a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f3019d1a7b36f51e518a92265362adfb
SHA1 7b7a3fd6846093210bcf51c77400a015c3d1de2e
SHA256 d4baa28a3bfba6da19b7370800439be363ffd8cf6bd0f429a7e48e20b086d92f
SHA512 07becbe0f83b337c22fae9257a17f0d6b2c06c21f4528352e0b34a3862ce46111822f62691502850a7149b2e58477bd04f671f9862b73ec022afb7509f327cec

memory/4888-784-0x0000000000400000-0x000000000040A000-memory.dmp