Malware Analysis Report

2025-03-15 08:27

Sample ID 241020-xz1vvswamc
Target c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N
SHA256 c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019

Threat Level: Likely malicious

The file c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4139) files with added filename extension

Renames multiple (2857) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:18

Reported

2024-10-20 19:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe"

Signatures

Renames multiple (2857) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\lib\calendars.properties.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\bin\libxslt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe

"C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe"

Network

N/A

Files

memory/2280-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 524b24073110bc86974457defde0892e
SHA1 b70101bbb2ef5d65f6d7522f6de2003a2fb514d5
SHA256 3b22923e1fa767d739a4cdd932069342dcaeb6380f8b9c104305976a17dfdec0
SHA512 eb7d4a7331dbf06cb8ec92c24e843b8011c85654480dbb35c1ca778c227b73cb5359162e24ff6a342ce49b9823bb14ee8d2dd187a6df5f7f1becf7105cb900ac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5eb16bd798b82a78e566e73f3e694bc1
SHA1 975a029c7e62ee381386dd00c66c8e01b32d684d
SHA256 af7c8320949560f67c30c0a23f583e63740acfa1dfad545355062c5662eefb2d
SHA512 ac5466850143a9b29e167a5c095b2922ef0e248fa993678944693f0bcaa011922832e8ffe0930ddcc7ea4f7dee641e1e1383c96a286a76c717269869fb46deb7

memory/2280-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:18

Reported

2024-10-20 19:20

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe"

Signatures

Renames multiple (4139) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe

"C:\Users\Admin\AppData\Local\Temp\c1a542d1a21560c1d101eaf5a34a958169eaecab903d3acbf9ff06482ed6d019N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4568-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 914ecf54ad4c60787d9d8028898476f1
SHA1 e6529c11557f84798780288fa8767473903e7a17
SHA256 8d5a4d0fcf8f4379a91592c6063884bbe6c886a223d0867c851a0b24728a6da0
SHA512 3dfe7eed3da935425984e696887481c847d077a0b46fb18ec74c59b0c1e826dd89c19bcb530504562dc5ca4f8c5d4819131737160b35e1bdccffcd6c1aa00355

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 524a27e8079a0675f07bd6c1b5d079fe
SHA1 509143ff49d8587ecc30412f98fb9b68c04a61d8
SHA256 91961cca78d6ab1563d5d480a19756420f130a04bd1df2166efe06d81a3d3eea
SHA512 030fa224681bf3fb7addd58591d97ef963518079bf5d50c957768db8d305aca3efd22f70fc67309ee5970c5524b8ad240988525c5bc64bd5e1a66230c3c03035

memory/4568-654-0x0000000000400000-0x000000000040B000-memory.dmp