Malware Analysis Report

2025-06-16 03:35

Sample ID 240608-cbrl3agc96
Target 1ba50dcb10db9275f3e0825385943680.bin
SHA256 0c8b0a51a90659ff50855c4e4fbd5e99c9e8e253be2539bdb2023121d659f436
Tags
upx ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

0c8b0a51a90659ff50855c4e4fbd5e99c9e8e253be2539bdb2023121d659f436

Threat Level: Likely malicious

The file 1ba50dcb10db9275f3e0825385943680.bin was found to be: Likely malicious.

Malicious Activity Summary

upx ransomware

Renames multiple (3441) files with added filename extension

Renames multiple (4848) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 01:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 01:54

Reported

2024-06-08 01:56

Platform

win7-20240508-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe"

Signatures

Renames multiple (3441) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\JNTFiltr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\London.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jre7\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe

"C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe"

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 658311d5f841c9e977c7529737634140
SHA1 f21f914c8786db5bc1d05d2dd12e1c10b8395762
SHA256 a843773b7fa5e6b41c559ef6a8fc96b212293da895c4e4ff519a7ee349b2207c
SHA512 5c1cc97810c444b2413fe38a44d0cafa041cfd3e1976a81709bd0a4a8c8cc348c979e3637eaefe4a33723c9e60c33730c1298f75fc1df0a7dff0ba45e5152bac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d19f18b09a5916587279a48924399630
SHA1 a84729f5a75d0a1c3f2e4efc215f780d5cda8984
SHA256 aa27e6f375e3f9cba75290f46252fe2e703d9694fb95c85beb37b0481409f195
SHA512 e9bd71f786c44dcc2d95799bc20b511238d2284a99524ff39b1d44b1e55dcbcb028c78a6f94fe5ed1b0438439d2bafd85fb7f11e88acb9bcd6b6f58d3330eeab

memory/2232-86-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 01:54

Reported

2024-06-08 01:57

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe"

Signatures

Renames multiple (4848) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe

"C:\Users\Admin\AppData\Local\Temp\1ba50dcb10db9275f3e0825385943680.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.147.200.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1128-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp

MD5 e50e197f025b5e4bf998fb86a17fe7de
SHA1 3ad2b6b8b4a7845350ba835eeaf742bda58e60ef
SHA256 d1e58880a79c050a367078c70860e33199120d94838b5c840284c616c1f3235e
SHA512 c7a2df0ab5830870449f36392d2005b6c1815b7c948355c8645e606fc9fd8c5d2c40245ec9775ac14c05677a5ea4963aa0aa9efbbc55c70969501c84d55a73f1

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 83cac510e19bf375b7576d72e2bfce74
SHA1 74be48259a58beaf7518489ab857aae9620a1b49
SHA256 bdf36b1aa0e16dcae7238282627ec4856fd190b280d204dc12f6afaf95b6a6db
SHA512 032d358c46357200028f610badf9600a1e632fb284a5691706172a4f070bf8f6335e9ffcc2cc14406970e1b0ad051f3064dc64dbbb01bfca0347f6b6aae49dd8