Malware Analysis Report

2025-01-03 08:29

Sample ID 240616-3wbz8aycln
Target 9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827
SHA256 9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827

Threat Level: Known bad

The file 9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827 was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (3701) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (4731) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:51

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:51

Reported

2024-06-16 23:53

Platform

win7-20240508-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe"

Signatures

Renames multiple (3701) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe

"C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe"

Network

N/A

Files

memory/1708-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 e872895a645094f9a0386f82aac9c05b
SHA1 9aa2dd7f8dce12c3fe93d3cbb98e74e22995fc50
SHA256 4de8d84b550f788636421d77eed9e6cfe41720b6c93988664832152852703487
SHA512 8e80198bb92c92f7d4fd19fedf832df6dd4ce099fb9c4838e89aa34af258fb1c1d51affd6b1fe5a0533097b8f04401b42859a18e78dbb829af8ba88a3e59a39d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 84b91a79e0da104089f18edb25579c31
SHA1 8dc0fdd7ac309288635dda97346dca26f442f54b
SHA256 1da0eb51c6f1d769f2c41909686fc5de5aeb9cde4616a7f95309a049a2ec3bfa
SHA512 c7c9f638eb96ca40ac95cdaf15d18b7692de6ce984163a895f3bb4be9ffe46aa48c7975d277c5e7ef839113d8c31bc3508dbc97eee77127a7765d88777264812

memory/1708-662-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:51

Reported

2024-06-16 23:53

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe"

Signatures

Renames multiple (4731) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\README.html.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe

"C:\Users\Admin\AppData\Local\Temp\9038ade68e85410284c53cbc164e3aecfab9c994ec06bc7c094dc9b76bd97827.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.234:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 234.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 88.221.83.234:443 www.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/388-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

MD5 331a24c79f4cd380f4f011c4b129d165
SHA1 62f0c211ff0019b1273f07bd50c806ba0283324f
SHA256 8c0a6d1fdd169931a9a8596edf096c2dc246221f85712bd9620311c60314fccd
SHA512 bca201f0f6102b0ee77ae6968bf647494d59a91c4c3d2856f4684d3c514a079d16e8a38ccf579959c97624e1bd2c972afc7af8aef0ac43f922512ef1fea14683

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 2f5a5892c123ce3dea3f7ba3cfd2dd30
SHA1 b893f393e345785461c930723f269cd8eedc3919
SHA256 3582bf4c6d4387ac61a544e79b66d40e0e508225a614944554ee31a3ce4f0099
SHA512 17cd1ba21a7f7d23f95259df822a2b9afee1fbb53122781f8b0ef0fadd6024ae664313cfde9c3c10d9da270c3867b78ab0e1f7412a19a055ac84d8b3f2053c4c

memory/388-1748-0x0000000000400000-0x000000000040B000-memory.dmp