Malware Analysis Report

2024-12-07 10:20

Sample ID 241113-dxl45swckr
Target d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7
SHA256 d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7

Threat Level: Likely malicious

The file d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (1702) files with added filename extension

Renames multiple (5328) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:23

Reported

2024-11-13 03:25

Platform

win7-20241010-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Signatures

Renames multiple (1702) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\InvokeBackup.eps.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Network

N/A

Files

memory/2044-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 462ff1f3db5e81ffa2e108cc69ac6f72
SHA1 e62d8ddfc2c30eaea422595671fee0115ef58adc
SHA256 202e2d6ac44c949ccc5f554a8e26efe2f9dfbf6065ce69817da28e8462122a6d
SHA512 0f96d21f5336d0073990b524e75eacc10856b5cc345e2dd2fccad93c77f6e682a301e747a108cc25d3dc495a9d1a8687116489ac492a80727ec54c36c0bb2ed9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 09dc74eea98088187126ae500dc7fb81
SHA1 9cf5c6acba6acac2bf41141f4d1917158ba7e2d3
SHA256 0331cb06ef1ac46dbcf91af6216dfcc3c5d49f637a369d729b04a4c1a4f93995
SHA512 b13efe0d6821bc9be6d60ef4ab4124096bb0f4e6b06db90ff39e4cd6b7ce5fcd360c0a7ffcb3dc8c07ce69d1224eadb4672786af4ced693423801a41ddbb901d

memory/2044-26-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:23

Reported

2024-11-13 03:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Signatures

Renames multiple (5328) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe

"C:\Users\Admin\AppData\Local\Temp\d871a6c6b8c4e6a3c38f41aa9b412bd6d95bd139e57078c8a254ac01964fe4a7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3200-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 e580f1d0c1987f718bd1088a98abe953
SHA1 97eefe6d5249460585122d37cb494bea6b3ab4f9
SHA256 7a937006a4f3c72c0c67a62d28eb1fe6c05da646b044e1e3a19c04f118e034e4
SHA512 9dfde6af2c23fd83eea20f9f7a1e47ebbf3ac712fe80a9710916abe0564b1419051b02f0011b908b8d8ebe74c2059177a417debc84a666d770a79979cfa4c035

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8a1fb5abfdf48109e20b6142aac83bad
SHA1 3978829b8de30cfd0192b4b57eec7b673b2e3fef
SHA256 6d9c6233ffb6f352e1c763c29ad98ee903e5a64a88284acf86658801353056a3
SHA512 b39e524147637aaf65dce72a7c850765a1197bfb54e388362cec4bd4ea83cd7296ea5c3fffaa9ae6eef004b5022413b4716049dbfe3fa61a1affbf99f225800b

memory/3200-793-0x0000000000400000-0x000000000040A000-memory.dmp