Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-hwl5zasgkr
Target efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429
SHA256 efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429

Threat Level: Likely malicious

The file efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (973) files with added filename extension

Renames multiple (2227) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:05

Reported

2024-10-16 07:07

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Signatures

Renames multiple (973) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\offset.ax.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Network

N/A

Files

memory/2988-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 395d3e52fc2bdf3ebb1b17f8d10d15a6
SHA1 9631f15db5f2fd80c64e281d45dc0b3b85282970
SHA256 982a7449bb7f28f43bf164fd6cc5ff4d3cf975efedfa7b27711869623d732153
SHA512 6484f78699431b6e1e9c6ce237b39e5c115fc462a56d2c4797fc1414a086b5268a9bbb6bbba2d1318ec17ff02f8d133f4ea75ce6893965a8e1ce693b1943525b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e07cd8094e80faaa2a6896b1f7a6b54c
SHA1 a62c7948518f2adb5544edae7e66f8d819dfc729
SHA256 5c34f28c508d8d7586db5c38e5aafad5a625b31f9e4d8fab25ede913846b701c
SHA512 2926aca2abea902e7cb6a0efa56ac2ea4ede962ec0f82bda122350ae2a516e75fa35b8b05f00e426868db9d6a5609dfeb4e64906683d7a1b000db3ba27f51f0b

memory/2988-62-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:05

Reported

2024-10-16 07:07

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Signatures

Renames multiple (2227) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\ExitDisable.edrwx.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/956-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 f2b551c6e345d9bae624487dcc27dbf5
SHA1 17d7a49c298ac44aea2ca0196eb52f9f4ec97589
SHA256 e3b95e06356fe976d5a17219704a1d3817c53d95aa9650b3b13e3bfd117034ed
SHA512 263cf54d6badd8fb58d9d74b45e1cd7a14666ead95ebee2ba4e270ec1d62a2fe6e3ab70901229e23b0ece65582d38c6f0bee320779a9b162190c05156784c775

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ad6b302327249b18d78ffd234500354f
SHA1 e32e375ea7d4d1c0f0af68f71921833d60176691
SHA256 fb9f4936555a8306476d2d216c9a0687e1559633a6c8d97756db415673fa9326
SHA512 6d829fdf4931851a5e7eece0ec462c6de40e4d74776e6df75d8ba43afd10e45efb5df41c5f3c1e90572ee5151beea6a0060ba8a65159297f29148aa6aa487cad

memory/956-388-0x0000000000400000-0x000000000040B000-memory.dmp