Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-d6jelsyeql
Target efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178
SHA256 efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178

Threat Level: Likely malicious

The file efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (593) files with added filename extension

Renames multiple (5025) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 03:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 03:37

Reported

2024-10-20 03:39

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe"

Signatures

Renames multiple (593) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe

"C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe"

Network

N/A

Files

memory/1656-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 e494aaf55bc44bb8695063b2ee8b68f9
SHA1 5512a704ab7608d507d47075eaa1acf82f87f2d9
SHA256 cb0d5a6b4a29866edd172aef60257e83f5b39bf696f38e0dc99646c220eb4923
SHA512 9c0f47fef4656733603671888f637f7d3149dd5618d7aae7f64dd57a57a86af673928fbb8bd647700772b8a0ff8f4a9f841f9021cb16536a137d53a3868a4c4e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3b476ffed8cd15f12cea8a050f41d33a
SHA1 834099449d08137be3e960e3a3785dbc2635572e
SHA256 9b6a8cbe40043b53e8b970d0bedd88f535a3367b183fdd8d23828d33450f092e
SHA512 07be5891c3f63d05097423d5d7c0e2e456c73f8a97295e8f738c1cd6339593c751496cfc8790c1616178a6210f98ab2c64c236c2d91687915c67d0a9e37280e0

memory/1656-26-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 03:37

Reported

2024-10-20 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe"

Signatures

Renames multiple (5025) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe

"C:\Users\Admin\AppData\Local\Temp\efc94de13fd08da008fa80441742090e6042bca3b968905086cb599aa36eb178.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3268-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 ba9b0ea484f750f12c3dee84f96320d2
SHA1 3298442daa8daebaf5a5fc3f2e7bba87c5a7f47b
SHA256 5432ab60b9f2652e867cb0ee4256dcee3d1f42c4d58fbf57a66829d1827a4f19
SHA512 7e06432922a1a9e38cceff030abefda365013a92fc59635d8d753d9c46a3a05750763b00f9dec50f8ab3881949ecf7699ed7244949134435f2b45754740c2c36

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9218b55f1d711fc4a68afce1f2213fa0
SHA1 bda0f82c65f9d0f0a29cc0f9372300a7cd7b5312
SHA256 c4ba3a1f5200b4e152565c7462d2f7006fdcec2db0352b8cd72cd095ff904c63
SHA512 4991fefd37ec56b8e169c6e968d0fb984a9d7801bc311d7063da435cbdcffb8df316c906c64126482b3cde7f6788d1d74a89f904e5377b194e8e3309d753f8ae

memory/3268-780-0x0000000000400000-0x000000000040B000-memory.dmp