Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-zxjvnssapq
Target 3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4
SHA256 3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4

Threat Level: Likely malicious

The file 3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3690) files with added filename extension

Renames multiple (4766) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:05

Reported

2024-10-20 21:08

Platform

win7-20240729-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe"

Signatures

Renames multiple (3690) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\skin.dtd.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\ExitSave.eps.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\NewSync.reg.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Mozilla Firefox\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe

"C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe"

Network

N/A

Files

memory/2684-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 5be16581bd5c112d3592e04902d9689c
SHA1 bff7c3a03ee8c2507d9a5ff6a47578b2fb2bc13c
SHA256 4fa5c7cd075a03d1366b81f8e027e0d6d915058e81ec7004f55cdd6012a2bb7b
SHA512 a38e6aa6d26c4f97283cc9ea221a9169eaecae08e0d5872451923c3c7aba3bef199c90c0f077bbd7dd2a120feb7bf70e2001d3c1bf9cca904aff4f33ae2b0707

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e383e8581eacbb7e4f48db8d587204fb
SHA1 a6651c1867e3b16d768c74ac2c2f43fcc61b5ae4
SHA256 a1d56f7f92d49d70adf0fe7df0c1427894003d2714e8d7e19f34e7cbda676d81
SHA512 ef5b092ee61fade67b63cf8977a7daf2f76107c70222ebb8892695063f29326108c577cc3c7bf76608ded75a1d0b4aba5e5537ba726b2ece69d7734b0feac8a2

memory/2684-69-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:05

Reported

2024-10-20 21:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe"

Signatures

Renames multiple (4766) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe

"C:\Users\Admin\AppData\Local\Temp\3e8bffbe9546372f61ede0f9212cf335c8e4d9a5df847043af2cb1b536e03ef4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4556-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 45c8bd3c1230e27520a7f7a9151f1d85
SHA1 9c7e009adf4f48eaf63e57f45970e24f11c86aba
SHA256 637df0203a75fc495ea8c9468ec080843ad7e9ad63f94b13133f966542e79446
SHA512 ac4bc83b6e30a6d4224268f9e2f88ad1c54c0790e215cca6d11e4c86d1d3e43107ec69b59aaf72e7d21fde7a8e61ab70d3afd469444895af5a77b17dbd9bb2f8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 12edd6f382f1cb8e0755d85c40777bc8
SHA1 12c3b7b5518d8995f3dffee36cd2807756dee49a
SHA256 19b79390ee7f531bebe3c2ebf09c26e1d8a3c68d8e86648434959ce50dfabfee
SHA512 46650dcea08ff699ee01457de9c9ad361f88a322c51b7be8ad2335fb38e2a8659e41e051d36fd83dcd148fe04612fa4509dd83ca7f2cacb3b516f3e9ea1fa2db

memory/4556-654-0x0000000000400000-0x000000000040A000-memory.dmp