Malware Analysis Report

2025-01-03 08:37

Sample ID 240611-dnhelasarb
Target c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b
SHA256 c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b

Threat Level: Known bad

The file c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Renames multiple (5332) files with added filename extension

Renames multiple (3751) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:09

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:09

Reported

2024-06-11 03:11

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe"

Signatures

Renames multiple (3751) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\New_Skins.url.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Windows Journal\InkSeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\ConfirmUse.reg.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe

"C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe"

Network

N/A

Files

memory/2164-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 5ebbe634fa8dad2188875f19bdee3382
SHA1 d58ff63e298b0e964c15b0d8fa6dcac64eb3e4fa
SHA256 a24819b15c6884b594778c77125ab11908e9610cb68a9db36071a9007d24a25a
SHA512 3bd9f333559532b39fc56c00beb82bd3dc58be5e92db2982ee64dadcfdd841651e2e31abf26afff611ed3dd76325f0f66fa43c45165205d974972b6190e771c8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 813cfa8541ec186832e5a764cacf049c
SHA1 8aaef7ba833c4d6fbf7b7740db3c8732a4804e9e
SHA256 6371fb79d57dd27ebf8d46cd8b66362a4e491de3affa99f94245313d678a52e1
SHA512 a999d362af76675936836593748de21753b284808578f9624497a53e8e9f46ced9cfd2fe26ed97a73120f28e1727bca92bd3304a72cb42ebc8ad078093256aac

memory/2164-76-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:09

Reported

2024-06-11 03:11

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe"

Signatures

Renames multiple (5332) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe

"C:\Users\Admin\AppData\Local\Temp\c9ceb6a4ca2a0bf446e7e5f0277d49007498adb57699c51b79859a18e243f04b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2896-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 8d9c56f7e9f5eddbb137305900c88b72
SHA1 203884c17266a389af3ed6be29e6332d49f607c5
SHA256 7e18d03ed44433c9d56070a7fff8c85ffae8248fbaaa068410e771d18e1fc318
SHA512 498e600cc7eb4f7817058ffc7b00ceeeac77f77829a78d412104fdc3668b04da3b058d0694aaaed0a6557f84df9b4e1c7285198bfb428909427045ab2c12c769

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4ceae6f8e31b9251cb187ea62fa6b14b
SHA1 1edb0d34e2490383adaa5b76a0c97d77ba27c7a6
SHA256 11c0eb17db37a9141bd55b83fcdf15eae45ef1eeef8e617cf6eccfca2f51e2a2
SHA512 116e6c622fdd77804c80cd6c47a1c4167107f6ce457a746a4fe021285ecd2f9344d4ec6cb7c4ebd09cceb7aa1a5cf799fd8766ef1d01e1593ae247ce358edf79

memory/2896-1216-0x0000000000400000-0x000000000040A000-memory.dmp