Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-y15e4swfpe
Target edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N
SHA256 edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642

Threat Level: Likely malicious

The file edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3242) files with added filename extension

Renames multiple (4618) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:16

Reported

2024-10-19 20:18

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Signatures

Renames multiple (3242) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Prague.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Network

N/A

Files

memory/1792-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 3bd1ba1bd448c931c4f5de0045ff278a
SHA1 faa05a23b1f52902f9c6877566e131aaa8d4eea7
SHA256 7ccbf2ccdd751039c4fcd6b75526fabcb9bbe4eee777f6af8934c26b344efa04
SHA512 f984cbde052b993f49d78c722c0d4572f6387b614f9bbdd2fb82084395b822a9ff6515a36d03ebc8faa423983cc40c3a4293f26c46b995d274ccb237a3ce432e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ba4b0030a6f62c0d8acad6b683f8cf1c
SHA1 f0d12a5fb1a09bc961d401280f00fa28b14a9c9d
SHA256 15181e0a5f736671cfec5e996beefda961af75c056bc809a66f78655444598ca
SHA512 d8418ca24d9d8b966a95b66733d0b034ff6b71298dd69e479540a4384bf01e6f7d6a6e655d814d5c9f348d3b2153d0a8a5f4f0cc719efcf1b5b66647c82a1329

memory/1792-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:16

Reported

2024-10-19 20:18

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Signatures

Renames multiple (4618) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4740-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp

MD5 65ca5ee8f353a6da958badb2fcd06e80
SHA1 ea27531f9f78601fc69428a60e839fdfb046f771
SHA256 ab155810aea2d880317134e4377567b322e9d26268fb915bd22318fec67cb2e5
SHA512 9279b3483c7f98ae536b5c9d2987ba5fe401097324ba872cbe0a373dc031dcadad919c6806d102629c99dda60d9afe25ff22cf4f7edff368e52c58fe6d1442da

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9cf87b207f77fedb83be1e8053407eda
SHA1 c41dce1de959ec679613c8cf028342c9afb33a48
SHA256 7f75917ada98b884fb826e36af1b3faa62a2447b61e5fdf32876c82a63a824a3
SHA512 8fe18eb6d01c235111dceaa98f6a115f2620e64d0b6d3e40ac1f2fd0f5a3571cdac248660f3c5805f81a06c7420472cde237143d522ee88e184470b5a8a28f6b

memory/4740-668-0x0000000000400000-0x000000000040B000-memory.dmp