Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-gnpepawclc
Target 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN
SHA256 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fd
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fd

Threat Level: Likely malicious

The file 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3275) files with added filename extension

Renames multiple (4673) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:57

Reported

2024-10-16 05:59

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Signatures

Renames multiple (3275) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Internet Explorer\pdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Mozilla Firefox\defaultagent.ini.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\PublishSet.inf.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\bod_r.TTF.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Network

N/A

Files

memory/2532-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 a3e518cfd5f82026548ff515ad1636e2
SHA1 c18fdcd72628cdff47a99e6659c0d23dd07a919d
SHA256 4777d3b47115c3965de5c0458e7f60aff973b2a6832514d3a7f1ae8c16565cf1
SHA512 56e90ce0e8c08375ad4d0ea8af6cbe8ea56ee11668095ed4f5dded7dcf87885668d3e3cf8ff9b002b63d330f94e506503ece04b2b8d98ec3156ecf9be02527c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a0e2698c08ef164651fd150137f53e97
SHA1 04b76df91af60507b4bb42f1a9a2e616d1362970
SHA256 e35f71c78cfb9b1d1782b0211139cfa551909f0723647891e0cadc474efe760c
SHA512 fceb1466193243b9c583e4cd447f5ff434fd3dfb814824d01f67b9e68f79ff7ea0d2e2c785d33970813794d0a9e2d32249f5a9831ef88a79f5231dda3a30e047

memory/2532-75-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:57

Reported

2024-10-16 05:59

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Signatures

Renames multiple (4673) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1340-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 563ddb69f273197052a7423e5dbbdd5c
SHA1 ba920bcb7a8925cb1942a9152ec8535fcdc2426b
SHA256 482f2721cb6f8004f820168349f99710319bda2b3fc8cd63cf1204280753f9b1
SHA512 b030ad3d35db1c3cf9d440b081093efb55774317184481cebfcde276dd9337bd6bf26d9aa0dfc824b1b5b64f48e6813906b8fa449f71eed2d560f80f488f4a60

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9dd9033d4f793ca1574b4220611d098a
SHA1 ab35ec8b9e76b758198b17fee12f3f3a6f14d01c
SHA256 8de380e0f2d5ebc4a4deb51e57635e06a52a510635807923c7cca812e187f417
SHA512 1cf4b033b2bdbc9875a7d3a617bace16c829e4a45b6b7e9408cdf50651c283ca29179147a235688ce9aea85a76b1475bf835919d7e48df400b469f8545162e41

memory/1340-786-0x0000000000400000-0x000000000040A000-memory.dmp