Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-3gywfawgmg
Target 8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N
SHA256 8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726

Threat Level: Likely malicious

The file 8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (2817) files with added filename extension

Renames multiple (4025) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 23:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 23:29

Reported

2024-10-20 23:31

Platform

win7-20240708-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe"

Signatures

Renames multiple (2817) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DisableHide.001.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe

"C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe"

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 d16b84a4854d9dcf21714a9bfbf0248e
SHA1 b51ea79d8c532fde6acec48679f4f6ed8772af09
SHA256 5f981bd8f044e5a8d3f43a458c106a586873dbc900aa557eaa8f427c5d0564e8
SHA512 8515e9f1864c460482ab49e67b75ff948d715183819840bdd528176699af5604f21dac7dc8f4ac7bf2ff3221e3b2534f9c6cc61401aa4182316ae4f3ec9b46d7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 321071294f61c7de648e863aff69065f
SHA1 d055e32b9a26ac05c0f880920c4e08c54547292f
SHA256 4510937e52266f946992ba9d191ff64af96e6511867e0827e2e9773f2100924e
SHA512 b2332dae73c4f40a47cdc9dd1797b5e8a04115744b614b6c7bf1d9d4b982b9d5e08ef52eeb57f13ef3f49795e210470b634de3327adef2b3c6766b204aae27fb

memory/2180-62-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 23:29

Reported

2024-10-20 23:31

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe"

Signatures

Renames multiple (4025) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jdk-1.8\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe

"C:\Users\Admin\AppData\Local\Temp\8e8850720ce22fc389af2c667c58ca4b9aef13ae54e3b2ecf8565a27c63d9726N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4868-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 261a3e4129784d72eb890d17e3e25fc9
SHA1 454850bd64cdf5a35061a092b05b98b9cc3a915e
SHA256 0e75cc677536b0225300c3d520f7d0ef00007772e081779a1fcfd14bb6ce2e06
SHA512 8a8d72256e67291ad88da104e1fa7e281ff17c4e6bbc258ecbb0f6bd6407edc103b9599eb833671f4bcdb0717ecf78edfd14f256c91efb8a45367f18a435d57a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 52e998fc11a4c879a754527d4624e3c1
SHA1 64689144e8c5ccf32b55709ca28a1ff0f02a515a
SHA256 6195c5bbeec61680ac75c26b3e32b580c05aedd15077e9bda5d8a5c4a601ba85
SHA512 715b4101a43dfdb98ce8d5dd507fd80ebc1c6a1d553438ddf43c5ffdfdffc18aa0d7af01408d53c97f14ce51f079004c9f981fbbe6b7a64a4a2ba82c9d0bcea9

memory/4868-648-0x0000000000400000-0x000000000040B000-memory.dmp