Malware Analysis Report

2025-01-03 08:36

Sample ID 240611-d2qm5aseme
Target d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532
SHA256 d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532

Threat Level: Known bad

The file d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532 was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (4829) files with added filename extension

Renames multiple (3457) files with added filename extension

UPX dump on OEP (original entry point)

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:30

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:30

Reported

2024-06-11 03:33

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe"

Signatures

Renames multiple (3457) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Media Player\wmpnssci.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Hobart.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Internet Explorer\en-US\eula.rtf.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Internet Explorer\perfcore.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe

"C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe"

Network

N/A

Files

memory/2112-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp

MD5 a12087a10ad2b68f4ff998ae4ef0c545
SHA1 8326d8ad5aa45b01663de845cfef4988df38c221
SHA256 3c905f17c62778b13bcbbf3453cef5418eea44980db7d0dd190ba9152b146be5
SHA512 c5f0e36fe2fe6a7033929c7c161e994913be22adc403626c901dbeba2807296696d7c0b27618e6a33ebacb46cb230d20aa6b056909bba2023c4690318261f40a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3ec876328abce71a79ecb7221d6aa8aa
SHA1 80eb7b06b74d52f30bde7ba51900d3d380513472
SHA256 2f43bb9ee6d5d210a78cf0cf2d4a9f1afabc030398d1b807d94bdfcda2abf835
SHA512 6dba5ed5fb9eae930b6ad72f522c3e860e44933ecf8fd85d6536a1af406d30d6126ef0e10b9798aa0d2dd877dae9aea74f5225b0511cbed91c25daf0dce4ce85

memory/2112-74-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:30

Reported

2024-06-11 03:33

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe"

Signatures

Renames multiple (4829) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe

"C:\Users\Admin\AppData\Local\Temp\d0cabdd5403e589827f64325059611495cbed053a1203e65023825c7a239d532.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4376-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.tmp

MD5 590c30c92dc18c94b92b1de7763019f4
SHA1 41ccabd10cf5366336ab76c406cfc308d7ee45b3
SHA256 bfd85ade5ec257f48bb117eb4ccf16229290f944ff0486ced5e59cdb81c9d09a
SHA512 e347f690116008276b1d71ef6a3e7e78d0522b84b86124ab460a1b93e5e456c0003a311c1ac09b57269390f30989bb97263b1b022916feee6b9f439c746ef0e4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 e014e39ed415a375af6df49c0e02095d
SHA1 588ac95c18bab663daf9a8ed88d06b74ab299807
SHA256 0783f20720aef6b5399aa50a1867ba7e659d79687fad0d59af820e513b66b314
SHA512 2067e4585ef9e2c85db8cbca25bfc267cb50409ee898d71ffbee5e74751190727aa9ffa9980c669e621627b49c3950a367a954235323ce9a490686a3e952a3a4

memory/4376-860-0x0000000000400000-0x000000000040A000-memory.dmp