Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-bd6nbsscqf
Target 9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55
SHA256 9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55

Threat Level: Likely malicious

The file 9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3792) files with added filename extension

Renames multiple (5029) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 01:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 01:02

Reported

2024-11-14 01:05

Platform

win7-20240708-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe"

Signatures

Renames multiple (3792) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.log.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre7\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\StartRename.mpeg.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe

"C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe"

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 ec530050573d9eda6c6bcd898353ed4b
SHA1 a2af3ab3438f32a3776a20980ec1c9791efde4d6
SHA256 18d1220acdfa96151100f415988324da924cd160390adf615cd7a94f979eee0c
SHA512 4f06214e487b935194301f857535557e922d0bd98a64ba110d6f4cddd79dcd5688f8f0d750d8206031b00ef726296a21fe15d432d42b2d0a14d34b96f89a7427

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 71ac4e284ef9963c72f81ad44a7ee116
SHA1 63b168b001ae57eeaf9a6651283dfa020299807e
SHA256 29e5e7df2e3aa5bc9cb8946b2327b6f91e0566439032ba8c70acfad2ce6c29aa
SHA512 a3a55b62c170ac3700977feebbbf4cd0e0edff5cfda7cfe4a615517a257c36ff9094738fa27aee5343d3ad6f464ae53f75b70cad47380dfef323e1ee1d514242

memory/2644-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 01:02

Reported

2024-11-14 01:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe"

Signatures

Renames multiple (5029) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe

"C:\Users\Admin\AppData\Local\Temp\9f66dab7e3d3fdf5b1f552c2e39baec3b9661099e8571456a74196cc288daf55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/2292-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 53f1902fa4ef56a4c3d10b563ac59d19
SHA1 de2d5ce38105e1bc4e9ad5b8f0f5c8dac708812c
SHA256 29bb63610f19f300eaf58b7f12153350646d7bb6868d18ce18f3e98f28defaa8
SHA512 1a1688d550226313b575e3ba5e75e76756bc3b3942392307f1ccf201e37c8273384a3d1b8109c706f617efb1f939019b88b7a85803d62d0ee3b9d0c93bcc4a39

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3bf9c2d70240b7f48ba28dda1c36271e
SHA1 b8e9fcea030bd66f6b87dfa6492b4c9029c5e985
SHA256 17dee0edd0de109d9389f8bb3c08abd1f174b21b0eb281d29d203865ec07d879
SHA512 ac4d5aa6afd8f7acca284cc1a6e6400ddd2bf915976e9fb116aab38bf780c7723074f60dd43e63ef9bb4bf0878dc304b9580de51e1f43b70c2fb996ae20efd8f

memory/2292-782-0x0000000000400000-0x000000000040A000-memory.dmp