Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-g26acs1dkn
Target def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8
SHA256 def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8

Threat Level: Likely malicious

The file def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5192) files with added filename extension

Renames multiple (3766) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:19

Reported

2024-10-16 06:21

Platform

win7-20240708-en

Max time kernel

150s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Signatures

Renames multiple (3766) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Mozilla Firefox\libEGL.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Network

N/A

Files

memory/808-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 ba3fd43ca8f9e12951e514e81b5cdd87
SHA1 f3f3f5c199f31571ee1178cbd7288067a00ee437
SHA256 23cb926ec90fef70a2de66e201cf3a3d0747d2ab5ad1130d3113dce9653a3cf0
SHA512 92d128890d079d623b68b103747acfead4d0404eec045f143d7856d2bc9c875efb264622a72d6121c1b48e382c0972000679aba0c96f99a955ddc68e9e6998fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5886f39ae48b90ecb79b03371300a78d
SHA1 c75980369260b7d374f1e6617e9fff86259e7cdd
SHA256 06a87d777f79bdd03fac29d9a59fab8e316d7da56f73189b296e4286ecdeb6f6
SHA512 4ad7577dd03061dc29cd8153f662e54aeb6bd7dd70e701c136b3a1d81598d96c257108c59ebae92f96a75c97cf7b334c14cf8ac74366bc0e3e093044168a5caf

memory/808-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:19

Reported

2024-10-16 06:21

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Signatures

Renames multiple (5192) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe

"C:\Users\Admin\AppData\Local\Temp\def4777d4781fcbd47dd6ab36d8085a4a935092de082860b04c17609b47aa4e8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1540-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 3f492518dd7bb7118e2da05112f23ac7
SHA1 0cf14e6d349c188da92c66a86c1f9f7900f06a2b
SHA256 67a8e56ed818e333c85b84e8c4b9d3fd0f944d80cc7c6ba6acacd81ee0d118bb
SHA512 a2bcfd54b61c1f1d98661bf92dec61e206a4d2b9b84df485bbf3f487690d2717e5c5a3ed33039d62a993ec104372ebb75d0c91f4dc8611c596e484f094afc5bc

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 190113cee0a3d915be7ce1cc7574a18b
SHA1 3ff7138d3a6261a27697a990cfe9274bc0736902
SHA256 aaec25936c012eb21c63c5b841e2651529ce1f11ba542c6281073b9c6f03506a
SHA512 227fa2cdf772f5acc155ac4ae3aff2aed7c6b7407438b86ca4483abdefccce083efc94abcb33acba9986cf60620c58d652c45827dee86334b5a9c82c6f6ed073

memory/1540-782-0x0000000000400000-0x000000000040B000-memory.dmp