Malware Analysis Report

2025-01-22 20:16

Sample ID 241020-bl1gaasbql
Target 9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N
SHA256 9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428

Threat Level: Likely malicious

The file 9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4576) files with added filename extension

Renames multiple (262) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:14

Reported

2024-10-20 01:16

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe"

Signatures

Renames multiple (262) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe

"C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe"

Network

N/A

Files

memory/840-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 a9c3ee186956fb579b6dda2fb3aef7ca
SHA1 151e640436dbe72a0d17076dbcc496e913feb29e
SHA256 4a2200264af778c431d17284aa0913164c5d07ed156d5179e09ac0e4b8374ee4
SHA512 e72c29af5fb8384ac2887e4253922d7f821669c4eead0f68041c7086ffb22b1b746f431c1ec97d4fa6bf1ad5ee51bc623fa0a2fdda1057a620a5c7be8cd7ceca

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 28c67c6621989e6562fa74bfcb76adbc
SHA1 a9ad6a1a2f896febc42540ed6db92366d9d9e25b
SHA256 2981a52ceea6148d5c5a507dae7fbdb285dda6152c024a1a02a41f3def8d87d6
SHA512 8bc3dcd8aede48d89fbcf6732e3a2c286833d8c55e8fcd9ff738ee103ddd81c04ea4dba5c830b67fb17f8ccd19ad2366aef85a640606455e7a2150d91fd98f33

memory/840-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:14

Reported

2024-10-20 01:16

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe"

Signatures

Renames multiple (4576) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Internet Explorer\ieinstal.exe.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe

"C:\Users\Admin\AppData\Local\Temp\9ea787c2a7480585736a58778cdb6f3b61c80b48b7d3b5efa8a73f6d55a57428N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2400-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 5d66a9c6c71f31ec3c6834955c463239
SHA1 bf877be261127afc78667ad726f2a019e72ea8c6
SHA256 964ccebf166273df65429f5b8b260e941a533a9ded473ce313e179c83d9710af
SHA512 2f1f18525539f0ef4eae3f888feec40bbf47ec04ccd41dc91e4a86df68918a166747be55fbcd9b9abdb9d7954eb2871a5162f1041d7228e00ae577a4fe942ea3

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a24ef462d7bd27b76023403db0a5627c
SHA1 3a8c49698ad1192c1cfa5e76b489cd2fbbc0f6f9
SHA256 69f4c3ebad0a827868a0ddb24e16d77bc31caf8da2a65dc5fc6b9cb769bc04e2
SHA512 9ca90ab208623fc0fe89e26d2f942b93fb53c20e118269192c7af4f84f2b52fe73805edb511698c4e8cfb3f9f9d3646bd660bab12e634bac39fb08ab7c810eaa

memory/2400-668-0x0000000000400000-0x000000000040B000-memory.dmp