Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-e4ybestnfz
Target f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3
SHA256 f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3

Threat Level: Likely malicious

The file f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4618) files with added filename extension

Renames multiple (2887) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 04:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 04:30

Reported

2024-11-14 04:32

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe"

Signatures

Renames multiple (2887) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\PST8PDT.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe

"C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 2d813fd73f5eab382c5e72b8663737e7
SHA1 ed090ca37768aeee7420b6673b8f4788f0336d1c
SHA256 4e8e036690ccb28c731127dd48b81e19f0678beefc3f58111a894d673a96046e
SHA512 5c7f1249b954236a99f68f52c609f17e2d40093767d47d44f4a0daee0ddfd12b006b3776e27c2e65624ba3c3cdba601df53f7d08994bd9a115b53d32fadd73d6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 b7dbc4a2358d10a3deeb5a714718cfd1
SHA1 ddfab9ee25d1d9581bda74d851bbe2823c7146e0
SHA256 1ecd5fd600fa0130e6da800dc9a9618815f30b5b9dd168061937ea35d394d3cb
SHA512 68450e5ef970a47d6793a6e8868868b55da99801b109e39c72b4cd1de974b457bf96df3c4623500230a6231289113c50c7a9a4873182c7b6f33a57646a53af48

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 04:30

Reported

2024-11-14 04:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe"

Signatures

Renames multiple (4618) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jre-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe

"C:\Users\Admin\AppData\Local\Temp\f9c1ae884f64f613333e70cf1aca7bf0c4e0401bc97ed5ec6ef0f715d69c30e3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 61550b93b076f65dce02842f65382ed8
SHA1 276c83a5862d43322859df89c930697fb6b8480a
SHA256 1900c584dc16687c23bf28a90401e233c223f206ce8112a7671307d46df8c101
SHA512 c2820dca6b774b1f39da0d47c455562747a46eb64470ed41d08576ca3e89f32d1c452a232d4d9614e846ea555b052fa5113093cca70915140625986429f7a44a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f88cb517df4341a8ca71f67d1158fac9
SHA1 e22b7091ee6c90384079b8c276bf9bed65355ad6
SHA256 6139fa112a57f84f15cb5baefa27570789a8364ef6f6963de57dd7b93c4ff05e
SHA512 7d25c63e703b47a46d820a03c70e9bed14a9c133b1d3f6bd57a0d1cde135003c18cd120fc71f811ec2414ec1f0ec234137c30cbb2e43d613ee970715a32fb0fb