Malware Analysis Report

2024-11-16 10:54

Sample ID 240616-a85h3swdnn
Target a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b
SHA256 a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b

Threat Level: Known bad

The file a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (4962) files with added filename extension

Renames multiple (1035) files with added filename extension

UPX dump on OEP (original entry point)

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:53

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:53

Reported

2024-06-16 00:56

Platform

win7-20240611-en

Max time kernel

151s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe"

Signatures

Renames multiple (1035) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe

"C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe"

Network

N/A

Files

memory/2012-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 facd9b08cb1f646701cea610529fb1e3
SHA1 e95f8122f535592472af2580b59777289c1a3cd7
SHA256 a1ded274c7eaca91c911f606e179ee9b964c75f8de190cd057dcd09a879de32b
SHA512 245e52e752712d522367642fbc99c8a66145c41e430c2ef8552e35e24285f636602c664c98922867928dd52e2aaee97cec13c4a65fb81cf9c27c1b69e5dfc04f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d72106c3783a1105a598de2989289006
SHA1 7047468b30c9e1a51a44f099a79a352c9fbf7c78
SHA256 3c3d5916d58eed1e33dfbdda6608415a07c566a713eb6be4e938b684aa7a29f0
SHA512 a2f81f4759f294b50b6aee0620e9674eb734dca1ff54b5ea0760c9542e8abe90bb823d2b9e92c4aefdb43661b7bb04621f16960ac82afd03e5f5b9ef0958df46

memory/2012-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:53

Reported

2024-06-16 00:56

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe"

Signatures

Renames multiple (4962) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe

"C:\Users\Admin\AppData\Local\Temp\a1e9f5e00d97d56f0ba06dfa13eade587f47e000bcac4f8d0daeb9b3cac15d9b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1996-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

MD5 0dfddc608e2656ecef9a8c281d8e603c
SHA1 2e6c023856f9d5e5dfd9c00c974c44ab6e1c542c
SHA256 7900659f179d457efc0ab6fb0974da94b96c2bfac6d97f64729b00a7ffd674c1
SHA512 68dc468df9908738c34ee04991076333439b01a3f26738498a4dda534474ee3c0bc77eb83b2f519e0dc69262f2214da14c5589c613c1b304bbe12e3168ca1b47

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 29958386e91e742141bf50d983227dc3
SHA1 3d25b2d00b56d4d33fb9ff1d823bc35d47d70926
SHA256 8d81c6aaad8f7fa40faf0e37a41f3ffd1fece93214c378892dbe10afcbb6aacb
SHA512 014741fc1e51100b3e6655efa8679ba91949b684e3293bb90c4133ec591d7e9e623cee64c0586555240c4e3f79eb3aec526c19daa40de856a6c98630176ef6b6