Malware Analysis Report

2025-01-03 08:32

Sample ID 240610-263egsvbka
Target 6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b
SHA256 6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b

Threat Level: Known bad

The file 6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (3547) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (5194) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 23:12

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 23:12

Reported

2024-06-10 23:15

Platform

win7-20240215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe"

Signatures

Renames multiple (3547) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_rtp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jre7\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Mozilla Firefox\mozavutil.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\EnterEdit.rmi.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Mozilla Firefox\softokn3.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Creston.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe

"C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe"

Network

N/A

Files

memory/1756-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp

MD5 5686bbfefc9ac04d088d73b29ee44b22
SHA1 6c098f3dcb4f923d02fd5e8613ecd2c138f1cf68
SHA256 a9f5a4e1293c325ddf139f58510094d1bde2b6f159ffebe99c81e3d0dcf7b029
SHA512 1a516fbf0652472bf1ca2f1bbb802205fb07a3fa2b9a4d20fd6af32795e63fdc44e602fc74f693e50cb1bdd41baf021fe72ef8e33832f2304c6a580ae8f474ae

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 25adf03d6a8e8941dda9c0cd37b0d0bf
SHA1 0abc4fe65689539910c10de03e2aef6c87215ba6
SHA256 20993f06c9bb0d7920815ca8b9a1b28148117802336385f428c43f2cca3277b6
SHA512 3eb241be9921784ca66e9c8c4b21c7b6f49ca1f9c061fe26e5d4deaa1ebca591c46308b4d5c2266fb1316ee1b44c0c44c1946262ad3180af598e2993975b48de

memory/1756-656-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 23:12

Reported

2024-06-10 23:15

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe"

Signatures

Renames multiple (5194) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe

"C:\Users\Admin\AppData\Local\Temp\6d03aab2bf5d6141d1255858f2861ed9c3aee58b9a3ed3a4636504e0de57588b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2120-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 c93f2a363fe2a946744a5350f09440f8
SHA1 dd2acd3c7611fb922745d48615f500e035a5ee57
SHA256 2ccea6a1b9a4b47ab2ff280a5386be1fe4d11fde98d0a19fa6d39fce1e9fc9b3
SHA512 ec375c1848f51f25236dbe0aba36bf8eb20c7c5d3b4131c3a69fb3551cdb5192a74c6a0e2cea297b5ffebcab39704a8913e21d5c55d4c3e2f1094977a777326a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3474e6f3160ba77b8d0c0d6b7470e385
SHA1 429c68f43c0ceafbfbabeef581879954ad36e474
SHA256 55439c24bd95383e553cd850e879d551912deec6a30371b60d4f936a3eae0861
SHA512 a5fa2170cad908fe1d7ac701352330f44deccbc5ff5bc2923ef168d28ca7096f7d3ad3a886607ed19a8df83337453891e84bbf4401d891a362025b0ff8f8e99a

memory/2120-1952-0x0000000000400000-0x000000000040B000-memory.dmp