Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-hzev3aycpd
Target efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429
SHA256 efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429

Threat Level: Likely malicious

The file efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (996) files with added filename extension

Renames multiple (2184) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 07:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 07:10

Reported

2024-10-16 07:12

Platform

win7-20241010-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Signatures

Renames multiple (996) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 f16241be6300e76b82abedfc9b90bda8
SHA1 b411069d010d85564cac0c31ef66d3c02445622d
SHA256 a873fbab89ad1cd1da1c2465b24c856a8e64878d8290b85fed16f24455d2c760
SHA512 de5553ab1b5747d5b76a9794a71323a4785ddf25cf3f23c2dd05bd5fe982e26f923a139a5140ab72bc4f870d3cd4dd9c38a413fb3052c59b1bcc2c2794890f21

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2eb506ede42519d8daa063bb4eb2ee89
SHA1 93dbdda3ff687e7f8e6e122daaa87a828094d259
SHA256 c169c7b0803e525ffebb5ac2c55781d72cabe156e0c7d03a62518da5099641f6
SHA512 4247bc4dc98ccd808740fb78bc90fc68c9df778e8cdb6c53040ac907e10cde470ab2fa5e248e3e99eb0e237a6781bec3070e4aa4a0f45e2a67f6c72f7093a63e

memory/2032-62-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 07:10

Reported

2024-10-16 07:12

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Signatures

Renames multiple (2184) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe

"C:\Users\Admin\AppData\Local\Temp\efbef15ffcc735a51bf90b4ecb54e008c5af47adfb958d0416522961f6ea3429.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/3596-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 f9e45d7ae1414bf7718ff7e000732b12
SHA1 63665645e873edede95c47d9ffd6d05096af01b2
SHA256 4fae60c6d7cb18c6651013d43f965da699a05cfebdebd056b8a9e72d90aa4b5b
SHA512 ca8e034b2e4dd2976625759a0c49c5a1fe10b67c2bfdec5fe7f4c493242bde0c26e373072e1cf86358441f7cfff2380e0346ab76c8f36227534fdb9cc449643e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 409808927c0a8078a9d2772a86c6bb27
SHA1 7bf3ec9db5b5be01b1052797a05097fac629d52b
SHA256 802fa7f012a7fe427e124600a87c0c25ab1aa6a102e374acb3efe2a2c81fe544
SHA512 f0ce30c6ea28e26868903104143c20d547a4c0fe093568c6c1a6c94a77f0adafdfe53b6d06a5aa4e07566a425f4d60723252f819dac6582f8f03875968788991

memory/3596-384-0x0000000000400000-0x000000000040B000-memory.dmp