Malware Analysis Report

2025-01-06 13:04

Sample ID 240617-azdzrszfnm
Target a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f
SHA256 a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f

Threat Level: Known bad

The file a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (3447) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (1201) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:38

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:38

Reported

2024-06-17 00:41

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe"

Signatures

Renames multiple (3447) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Media Player\WMPDMC.exe.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMPSideShowGadget.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe

"C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe"

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.tmp

MD5 cef5f5beb0be591799281d0e57618807
SHA1 a7e1cc5bb1c17d98b5ea39df689edf95af3e6895
SHA256 078d3bec9b84362f3e9198e20868969214937d41891cf3462280e923a0de404f
SHA512 cf9fe32fe3a54a70721402cde3e8085994ec2920e30b56ecb760a2e2fc776659242c7976b8a66ab413f0c0ff851772fd659fd659fa3c2e25b5b09911ebc04baf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 b70ca3d5ad7c9fb5caee5d6998c30fc7
SHA1 bc20759c3ace68a7aa7114614a5c3382652a53d9
SHA256 3c43d8c45a2e1a268ac1df8e9edcffd03e2f16ca61267f3b21ee1260d276993b
SHA512 fcfc84d4bc7c162be5cb8dc60a1486a41469fe112dd804a9254a1ada12d8d0d529adf318e5a1cd5823256c312e71c29c9fa451b99e444e3a7dc1105c4acbf700

memory/2192-646-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:38

Reported

2024-06-17 00:41

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe"

Signatures

Renames multiple (1201) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe

"C:\Users\Admin\AppData\Local\Temp\a4afe0fabc14c1ceb74d0e8a018f6a2e83522f7961c54ea68e8903f3f600880f.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 172.217.23.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/1496-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp

MD5 6b9e8f9654e9d75944735872b944bdab
SHA1 618466d634c8aaebf47891e610609254d61c2189
SHA256 b991d809ea48aa00493b2bcc424d54edca8b556055ebbe1e8c9b0701b1a83862
SHA512 3bff030df894705f02fc98acf6c6080cf3879d5c9a79a2a6285db69235907d72c40760b7b9bd2cc05538ad4ea9962bb6d2a5a8af35072347bb3d48213c4bb231

C:\libsmartscreen.dll.tmp

MD5 7d034c810ba5436d4b87f282a0deb067
SHA1 52a0bbe6c26d70d14855de1e24b3a3e5611fe237
SHA256 2a76adae5f19f79745ec2f4c0161961b4eb4938c49bc8ba97c7ffba39f251e2d
SHA512 1d8046b2f9f77d63197f26d3a3902dd175fce74643d9a91b1d33619ba25307d287e1a9ae0b8c2487301931055f536cf6446d2e0824bb7193a27a7e778164fb5f

memory/1496-399-0x0000000000400000-0x000000000040B000-memory.dmp