Malware Analysis Report

2024-11-16 10:55

Sample ID 240616-c7vnlawfka
Target cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc
SHA256 cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc

Threat Level: Known bad

The file cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (3684) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (5213) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:43

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:43

Reported

2024-06-16 02:46

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe"

Signatures

Renames multiple (3684) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\GroupInstall.wmf.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc.exe.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe

"C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe"

Network

N/A

Files

memory/1848-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp

MD5 5ddecbfcaa4b2b911273b62262c42b10
SHA1 b4f614d139c286794524e5d0eb273fbd51895d77
SHA256 06bc39213f64ef640d2d67813531c2b3e6248e3d2028715bab025529d95ad5dd
SHA512 bca9352e3990ba0563ecd61b9b14d35c10ee8c4642518361586cefd062b4e2cd9d654309cd40976ab62f6698d350b18aa1d720de201e5d90b058cab9fb3a8582

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 7b20c07b2758a69391545e475c5aaa5d
SHA1 c914ebb09fd9a7af0922c5e32f8f4f3ff4107cc2
SHA256 4c0dee97ed9771e820a4cb1816760e79d42141d9c4e1666245d3ca53ad680247
SHA512 4b445b66541e4463bd0c8cbb9c42682a7d32f268bcb6b7e8d6f6d1c8996df9d8dc97cb3c33cc98359b910c3ba781bd660f0f70b06b66b679258fb7c673ab4338

memory/1848-650-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 02:43

Reported

2024-06-16 02:46

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe"

Signatures

Renames multiple (5213) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe

"C:\Users\Admin\AppData\Local\Temp\cd990fa537e494bd4487e1cc1e96f9d658c12cec368c65e75bf6c87e8d042dbc.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 b5f73483a9ae12e2666541f8622c35d1
SHA1 d7cad6a421616a9aad97c51c46546e6f38a08500
SHA256 cab65dac0549c15c976fc279311aade61188183ebc71375eb6c6bdff122a3499
SHA512 7e694cdc9ec28ca0206ea0580560daa971df762e241183ad115e480bb1cc290fa24ce3abf35908615ac7221467bd64c55e71f4c8466b3076f9e955ec567b1d31

memory/4128-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 63598be190a5bf15d2be22a7c4f642f7
SHA1 e2916650feb935719956368173e3671cb77dbf78
SHA256 facf79fbbc4a8a2cd963b3651bcef8290defb61399e3dae9cd5966204d99d6e7
SHA512 0ee7077b28839f9611566cc5961c7799b252ff53344b8a657312932bb81f56bfef54c28c579183ef8ba09c04efb9a5a0bafbb221d17411a3dd2f8c7c1a38d581

memory/4128-1950-0x0000000000400000-0x000000000040B000-memory.dmp