Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-dq8pkavkgs
Target d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7
SHA256 d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7

Threat Level: Likely malicious

The file d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5124) files with added filename extension

Renames multiple (4063) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:13

Reported

2024-11-13 03:16

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Signatures

Renames multiple (4063) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.INF.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montreal.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\skin.dtd.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Godthab.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 15c2bdb0ceda93d645138da653402b42
SHA1 ffbef0069edfcf6c80ff28438bbcc6e9eb631fce
SHA256 5ec295115fe84117dc02d4916ff97cd746a05d0d43fb723448d89e5d293e64e9
SHA512 26d78ab5e87cb7ac4873e4abc334dc0959cb63313e34187da0b8af0ee9c8d583a41dddc2206ddbf299eb1523b87ebec356087493a8ba6f47583a47fc5ed84477

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5c4df11112fd124a099e73184906ea58
SHA1 b1726f76eef5e1688cf044a704131e0fce58d746
SHA256 d7497e52dcbfe9735e6ad6080e8746557aa84f49162959f90d3f0b6518a22fe8
SHA512 53d3d7d1d936703e13d9dec65d79ccd1c39e445e3a71f6f2ebbf970ed2dc51d3ae5133773de6e92ff246ee040d43aff89ba5d2721a750f0690847385a884e328

memory/3068-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:13

Reported

2024-11-13 03:16

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Signatures

Renames multiple (5124) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1668-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 6b6acd5be4abe789030848f29a910b7f
SHA1 cc41e507d763a3b16075b81a37f27f83c71dc22d
SHA256 ef9fde892e3a90d47b4dd3855a9ba31f4df4ba97e501a7d4b0f2196e8c4c5745
SHA512 e694c72624561c172e9cc414aa8c7795632d58af2542bcc85320a0a0ab9d9e2cca3e52596be086f2e50be41d81cb1603c4393540687fa8338d9a58d5b3d9689f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 785130c8f174af9821da6af43d031b9c
SHA1 2f523282238bd137f8e81eaa07bba1bfff053904
SHA256 eceed18c4e6a2e7a83169777df6241b025a4a0e1bd282e911fe43172f48a5b63
SHA512 33540c3c15324eb94653cd43b4eb7eb9eebccec89a6bce8445d56048bd890910fa990b93c9cc5d8a76dae330af6c64f32dd7186f5aa97f7fdad6a6a792fb68c5

memory/1668-707-0x0000000000400000-0x000000000040A000-memory.dmp