Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-y4zn2ayenk
Target edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N
SHA256 edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642

Threat Level: Likely malicious

The file edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3785) files with added filename extension

Renames multiple (5024) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 20:21

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 20:21

Reported

2024-10-19 20:23

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Signatures

Renames multiple (3785) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Journal\JNTFiltr.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Defender\MpSvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Network

N/A

Files

memory/2148-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 840c3447209950795cfe3aeff8121d18
SHA1 33cb244ad43e687b305a66c28e5c2a3ad46722c0
SHA256 f876632a334a45283eebe251a4394e88051975b6ca87e0147fdb322b258254c7
SHA512 f23bbe6656b9a622ac6e7c9a102e49341e39f30c84e4d01d4c88cb145f2a3db53f840755c01d6b539d3b443f264f03d4ba27822cbcb9820ae1bfd56148f67625

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0b26c52f9e5ef6996c2c8f053be50042
SHA1 eeb1df73684a0d81fe9de8b404426e3ce29316b9
SHA256 f7b7868cc9f9416bf262a35a1a90ee160ede477aeeddd571cc6c0478a619e2cc
SHA512 7fbccf647e995d55039fb7cfb7f90eb329e43dc6c6c98962654380d8a70711bfe984b494eb25cf2333b6842a6e75ea17b8a0d58c1342f876ff3f019ad77ca1ec

memory/2148-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 20:21

Reported

2024-10-19 20:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Signatures

Renames multiple (5024) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\DisableMeasure.vsd.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe

"C:\Users\Admin\AppData\Local\Temp\edf2a9d4c8df07bf2480b51f00c01a43e6aea0ac17995b08020f0325848d4642N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1444-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 0497b78b8ff0db94e8acaa0d251fabf8
SHA1 c097de546e3301d389a46dfafcb3cd6be547b80f
SHA256 62d5085379d64bd0ca305ec1972f15e5099817b00261eeb4ab85b8ddede20fec
SHA512 78cedd803c48580dfe36d332d1b71fb9c1189e12a9673281f30cd7f95ee28510101de8406112e0f143fedd822e834363cefea8b4c036945d09bed342d79f790e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 68c764ab39de384076d57c5f4a6db055
SHA1 06bf13e719cd63a7d628a1062746173a2a18e66e
SHA256 24b9970c30d62b1685a4a7ad1c085d44b164f3862ec1334b6f1817fd43508a04
SHA512 17d9ec798e7e5968833cc1862532a8a7e6d32b26b2e749c7647d8f7bce10db090af09339221b7c30b3ff060dbf07716ea61d5f098af99e0c04b662c672400f0b

memory/1444-666-0x0000000000400000-0x000000000040B000-memory.dmp