Malware Analysis Report

2024-12-07 10:01

Sample ID 241114-1dqdsaxkck
Target 43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5
SHA256 43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5

Threat Level: Likely malicious

The file 43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4653) files with added filename extension

Renames multiple (3490) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 21:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 21:32

Reported

2024-11-14 21:34

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe"

Signatures

Renames multiple (3490) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Google\Chrome\Application\master_preferences.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe

"C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe"

Network

N/A

Files

memory/840-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 1a8b3438cf37078c5892952bd273eb06
SHA1 1ecc7cf967579dcc77db0a4bb314af54350d7584
SHA256 9fbff3b1e95978d0ea974522033eb8e7e8213d1a65cf35e00b3bf5a3f8f02403
SHA512 67ec3e719d26133f66505035180e5e00276af42488ae04bb1f432e3db79b7bae96a76853bceba0ad1e62c2ececdb500906cc1eff73bc55a69fd987dceb3219ce

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 b8442cdc3f39656cb7017d19ce811272
SHA1 49ed2b715c5e329c14b09a6f82fc8f579bd2c948
SHA256 25c76ad9f81a824245a2440dcd87608522489551486bd08d015bdfb2e108f544
SHA512 3f5d536ce56b2a592f46682ca120beda5c8d4ecdb4a262026e1de17afecfd34aff873ba5d7b975ea9cc617df2976a05d2dfdbf9f04c64eac246b8ffeec3f707a

memory/840-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 21:32

Reported

2024-11-14 21:34

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe"

Signatures

Renames multiple (4653) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe

"C:\Users\Admin\AppData\Local\Temp\43e9e8c119327d4d74f0aa4fc71924bf2bd072882a40ea8af43b6338a88a72e5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 9ec3bfc9a270ef68b1b5ff717567cba5
SHA1 d190268cce56d057f3cc8c83007739a958f27741
SHA256 e8a1930dba0c8eb848789935d4d43c3d6fa6f25555e4e4c2cd89bc2557e0e667
SHA512 cb3b92aa639c3ce5b5ae3e707f644d973513f2d766a95774da96843881b5b5bbb8f4c1735b5f1132742b9c7b3c6fae3062896ffd41d5d9e7509de0151abb7f3d

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 61b217b1d23e8395850135220691094d
SHA1 10da2e8beb70e39c940d4d824beb797f1016d34d
SHA256 fbac5101531a8782034c0c6af4ac0072dd23176ee31766b6edb928cab9633f80
SHA512 4873f1fa12edbf0686f43548fa9d766be34cef8850f063d49e934e60cd7d0760e39da7ecff64aa3aefd38c7e943282b1f387bd6099d521ccb668029667464a16

memory/3952-652-0x0000000000400000-0x000000000040B000-memory.dmp