Malware Analysis Report

2025-08-10 20:53

Sample ID 240825-hp427ssekr
Target ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b
SHA256 ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b

Threat Level: Likely malicious

The file ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3709) files with added filename extension

Renames multiple (5117) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 06:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 06:55

Reported

2024-08-25 06:58

Platform

win7-20240704-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe"

Signatures

Renames multiple (3709) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows NT\Accessories\WordpadFilter.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Mozilla Firefox\Accessible.tlb.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Windows Journal\es-ES\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe

"C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe"

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

MD5 68017284fd76ab5312caa84a1556809f
SHA1 cd33472b9715834ef187bfd5e4c3f4d00d222891
SHA256 baf230be65fe1261b83e473587f3f823f8c7e60793a1356c8be467a0a2abb96a
SHA512 7f25c773a7affeb25f7e41e3096d6221a033ca69efa9f167b751fd28e9fef2cda0fae4ea69addc787d25c212af442981366b7c6a239213d168ca63829a48075c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 8736b4bb3607998579b9dc051701cc55
SHA1 f4ba6bc5ed96d00e91642e512509c3ee888d6691
SHA256 a03213aa4827f13449a531e6b0e0c35e0362af9fbd031f989ab653537d30b449
SHA512 af7c7991f62966a787af0d3666a03ff604938ae5437545fca48e4ce0d84b698d3c4897682a7a10c6c095556e796903a112a0d8c09d4d12d189e4bd623a14c440

memory/2188-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 06:55

Reported

2024-08-25 06:58

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe"

Signatures

Renames multiple (5117) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe

"C:\Users\Admin\AppData\Local\Temp\ed5ba1dd443ae3683e0b2e19efaf011bbf90522e41b427eb1bcff7797b75090b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3608-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 edceaf8fe5042fdd1141e41f09204b34
SHA1 316abaa331fb7ae9df1e677e64704a1cb9d7e897
SHA256 edad6df3ac32c816fce2dc48b4ff8a3488a42885755777a4b58e3f20f2ba64ad
SHA512 7c3622a03a43ee7401380bb620ea9a2244e1cf0e5b1342c2d46e2b557e7857b6c7e56006a3baad4e9cce1228315fd1b6adcc486e2388e4d665abe5e6558a239d

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

MD5 9f5d756aeb59dc09f7d7ee21e38acf4a
SHA1 f820a5c678fc26932bdd2772fc7a54e97bc13204
SHA256 0cf48d6117bebfc8ed9d93a422891f3db6a82086ab3c77af77563d0999f9155f
SHA512 7ffee17d5aa2a3c8b861294689bdf0b789f7699605be011cbdda94a2f8e5485ebe59e1c0e82b366eeea4268f78ea9ff27d527ba86993b1f50ff1896636144aa8

memory/3608-938-0x0000000000400000-0x000000000040A000-memory.dmp