Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-wxxvravbrk
Target e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N
SHA256 e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82

Threat Level: Likely malicious

The file e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (2859) files with added filename extension

Renames multiple (4453) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:18

Reported

2024-10-20 18:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe"

Signatures

Renames multiple (2859) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Mozilla Firefox\nss3.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe

"C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe"

Network

N/A

Files

memory/3024-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 aa0fb915e41d0ab14fdd54bd7a249b1a
SHA1 524f9e87696e6847e836818a66c8260cab917f68
SHA256 a0a33f13127510978fbca69f6bc91a9961bc44abef17bfbfc7e752c817187d31
SHA512 b302c65c536dae53e973cf153c0faa5c84dfb096c73e23e7328eb904ae9d2b7b4fca1891d3f6f947a6880529d3e09c5e6d16b968d17da82df74304f3fc947252

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 904a5d36e857f230f275a80f1c33503d
SHA1 69d68b159610b35b597cef1dfcd025cc4176e28d
SHA256 e7f8aa76110a306921ff22166e11df449cfef24f42c697a9133e45379fe166f3
SHA512 df4aa0b7260065ce62c3ea2df89b1b0748423035984e63c8f36dcb70ddae190a9766e460a801cccb5d0d6b68a530d32e32bc9c8a29a3241f5a9cda5049bb231e

memory/3024-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:18

Reported

2024-10-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe"

Signatures

Renames multiple (4453) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe

"C:\Users\Admin\AppData\Local\Temp\e8ff0ba9c7fdaead5e0299c43c983077668701ccf6e26fea8640573319838c82N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1184-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 33e258ed736ef6358d28ee6273ea6a36
SHA1 e07a2ac22e267f37841f1e9c545f7ada4d82711b
SHA256 2e97bc42e59a390705bd64fe30c6706313ee9c7c401a04cfbc248227e709a338
SHA512 82c86f5b5d5461a6cd4fad735c1fbffb1c67cec9db35fe59110c72ad5727ad3ecf39838063c89166133586ff266d92315c3ea7e6ef1d5bf7aefbc94896cf32b9

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3a5bea06fcd8067aa4f86d43782f1ba9
SHA1 cd5eb965ec1ec06e5e38299df68d1fd71edbd902
SHA256 fde96b1a61733ddee35723834d9a738a0b0420d56713727cbce27a97f9624efa
SHA512 70f7d09fb1a41fd7d1a9965fae0b8578e9774d6b900d49f1abf84d54ca589a3892c6e6946202f60a30507d7d140fd6a9efd7a353393a23ab81ed559652b17c0a

memory/1184-668-0x0000000000400000-0x000000000040B000-memory.dmp