Malware Analysis Report

2025-01-22 19:58

Sample ID 241016-ypyhestbln
Target 36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234
SHA256 36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234

Threat Level: Likely malicious

The file 36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5058) files with added filename extension

Renames multiple (3786) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:58

Reported

2024-10-16 20:00

Platform

win7-20240708-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe"

Signatures

Renames multiple (3786) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsource.ax.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Havana.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\bin\libxml2.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Windows Sidebar\en-US\sbdrop.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe

"C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe"

Network

N/A

Files

memory/1676-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 fd13304e643fa5567bc4329d5c178b53
SHA1 38fbb812549dd42406a873e43c19c248ca94b20a
SHA256 4aa699f20024edd9dded53405ec551ccd3468718d39cf1800f7549b58eec4b04
SHA512 fb975e1f3992b0d704fc5a4aa257ab7012672ffc6985997362e50ead91ebf52706a4b98c3bb61b1c6c16e8b50e2f9f8e116c72940bab1d5b084030b5e98ab40b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 6e98dead6b7ab9201fbf5226ee99d057
SHA1 deba08832ed5e4c6d5b4beb0f1c2e191bbe54b99
SHA256 1a5d92173242c5aba7c21bed9eed4317e1907354537fb28b9643e912218f84e6
SHA512 adb01f62131e94d0a996742d1b43b96827efca4cab9b74fcd2474402405c975e76e23c083c5655b7e8438f1f86f5316a4395bdd2ffa8dd7fa4fd4898b17e8d90

memory/1676-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:58

Reported

2024-10-16 20:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe"

Signatures

Renames multiple (5058) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe

"C:\Users\Admin\AppData\Local\Temp\36c936b8cfd3efadd72abedde64806fe4b45bea1cb8003393c1eb6ae2c5ae234.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3540-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 a805f227b5b854e8e030a8a765a483e3
SHA1 5005ca8a5aaf85e29fbf39eb63878548cf4f740e
SHA256 050881b8e4526bb5a0826ffc514afe0ec755b10df87f72b33b3774b5bf49af44
SHA512 e3cacfa8e2f85ab1170c213b5292d76c5390025465ec0a4cc1330a19ee980cac45e6700cfdce8fdbe460d4ee4a7c13d537e07ceffc13a31c024fc4f36d749adb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b410e265d67d6c4e796ef017afba2d3e
SHA1 191bf9b1d32340c87c86b195dcfbbf665a152595
SHA256 2c3ea4f8718661fe87814635e44695f261fcf34f97bc012bae5c409425a14480
SHA512 27af13b28c012393f53e4d141feb37a95947e0b477aa993471af4f98a9963259ae96c9d501347d2f9ad4930747da13dcce9f69719bc83756f4cffcc87975129b

memory/3540-665-0x0000000000400000-0x000000000040A000-memory.dmp