Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-yq3tjawcmb
Target ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N
SHA256 ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0

Threat Level: Likely malicious

The file ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3255) files with added filename extension

Renames multiple (4679) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 20:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 20:00

Reported

2024-10-05 20:02

Platform

win7-20240708-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe"

Signatures

Renames multiple (3255) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Yakutat.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe

"C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe"

Network

N/A

Files

memory/2272-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 d0249103d6cf41a210e3a56f644872b4
SHA1 d839bfc346265d4afcdae3a92123fa8b1e663d93
SHA256 63a91b9a273e21fa1e68b1d50036f38e142a9e8ec6dc7f92dfadca59924d2d21
SHA512 8936fdcf6409cf9d5ef4738a1e5db4e5f5329a840ceac53b05e8d10e52bd146115088c4eaf1736763fe4e56b9ee7ecc03390f21a0fb92edd16e69dfbb16cde53

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 cd12fa9ed2b30333b3b1dd42d4478d0e
SHA1 68b3aba64bdc1ae353e303f1fe6b419380fd1364
SHA256 46c9aca5641bec5395cea5cc0323d902df38e7e888b702ef787c67d38f3dc9bc
SHA512 994ff738c609e08e795b7fad167001fa7ebc1733db573a3f839d23ab67c5b52c4be46347e1df7a514dcf505143c7cfb207058a00eb54cf76b15693ffcee33f7b

memory/2272-71-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 20:00

Reported

2024-10-05 20:02

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe"

Signatures

Renames multiple (4679) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe

"C:\Users\Admin\AppData\Local\Temp\ef0e45386099ac22d091da175ab13238372fac83448424046d64eb535349e7d0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5004-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

MD5 1ededc64b20453c8a9d758e78f0fc1a2
SHA1 5eb5bc65b4dc4e89f281dc31d7c3e9dc5d5ec4d2
SHA256 ccd2b4330d587093290f9e3d26768d5f81fca996aa1eb68d170af1dc9d3cb3c8
SHA512 7dca2888d173f81164dc5aa01e4b7c03f364e3dd5df4c8d71e4ecde58faf847a45428626c0d4bb9911efb21b925c52497225e52f1f4eed3db539391d94174985

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ca799e92256895d17856b85b67ae5446
SHA1 cb1cb52b8710f172e66de33f8ddbf7249a61c5a1
SHA256 894c7b43d71753a4f42359671a708fd81458e938ab55f0ad221ac13ca38eb142
SHA512 1b3091093e06d1a80ab004dd3d4c5020755c366cf0f1ac7604ca349d56d02404daefdfa0da795f642ee560bfd9879bef882f68a285f464a419cd1d65802a0065

memory/5004-1013-0x0000000000400000-0x000000000040A000-memory.dmp