Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-yc9pxszhjm
Target 036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe
SHA256 036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72

Threat Level: Likely malicious

The file 036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5328) files with added filename extension

Renames multiple (3754) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:39

Reported

2024-10-05 19:42

Platform

win7-20240903-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe"

Signatures

Renames multiple (3754) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Juneau.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Dawson.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\TestRestore.vsx.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe

"C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe"

Network

N/A

Files

memory/1576-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 f4930231fae8b52a5ef6e908cfd3850b
SHA1 739a081e210217acc6644c1797bab8407bc6aea5
SHA256 e6f7f94385054d3c005bfe07d965b7d6c7e58a9b89b7e1d51217918674ee24bc
SHA512 fc871a227fb3f655ee002bb743c79b5de61d95765360984ebbe00b9caa2b7df0ad5c34f76df85953c308872c5ce06d55976f18f9008bccb52d9df2fa7a321c81

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5baa090feb2044e9ec1b1df47f25a67d
SHA1 a81510fab9d5255502e0d9f645dbf3a72fa60a2c
SHA256 cc927796c73de7583cae4ea5a7094a08af7c1dc2cb760783431d785ffbc451bd
SHA512 cbc711d7fad57a251f136926c4c9e5d3d962e94ae6d7bf469da47c8c645e9f6f7dd05b62b2ea4760458f2ce2d7f1440ca949e18d56037a788617b34632b6ec03

memory/1576-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:39

Reported

2024-10-05 19:42

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe"

Signatures

Renames multiple (5328) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe

"C:\Users\Admin\AppData\Local\Temp\036bae17ebd20b48963ea239df73542ccb526855d4744004e9b46899fef3be72.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4632-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

MD5 9bcd8b260e5c8a1544bb4c2e981288f9
SHA1 c103add360088b659ba832defd90e3165a257018
SHA256 48c7d6a491e183e3f53a50ff5098246f808c88745293366fff0b8d1b5e11baaf
SHA512 6ca12fb8423edb336f624101f094a3ed6106d4a52a35324c3ebe2d5d5b6a54c511d4e1f839777c38aca796c3fedfd4f94cda5d05637bac7dfc7457d75a1a90c2

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c1f71f0a098ad7cb0379692438dc4f9e
SHA1 246ba62b1cb199d95a4123ec3358f4ca7283fbf8
SHA256 bf3404f16846ec7dade17399b4c440bdb2fa4fe341e5be20773b6acec3efa113
SHA512 02d59347c4eaa9846598342c497d41dee6fc0b0051c7a275d3366509f65b18f89bc351c07b4f315a03331572c2cb72e37e3c656b02209aa3fdd5c5353de2cb30

memory/4632-1086-0x0000000000400000-0x000000000040A000-memory.dmp