Malware Analysis Report

2025-01-03 08:30

Sample ID 240611-d4g4rstcjr
Target d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd
SHA256 d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd

Threat Level: Known bad

The file d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (610) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (5282) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:33

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:33

Reported

2024-06-11 03:36

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe"

Signatures

Renames multiple (610) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\GrantResume.jpg.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\ClearRename.vsw.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe

"C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe"

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp

MD5 ae175889bc50c692e1ff6c1514e0f3cc
SHA1 a03f9bb567680a1418c613218e6ae6bca0984666
SHA256 a62763c8fce69d530d3a6a03807805fb8529e19c5daabd3d5b885ec8271fae82
SHA512 a24d4a877f9b47f5f3cf3f5d70ca2aa947ce2176af0319e01aaeab0ce51f15d2f695e888c49c46eb18c125874d35e2a1590068aa272fb8dec4640b23e5fdb7f3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 fca62cbea41adfadfc8e83ad7e55e4f7
SHA1 1ff296b02ecc29c1bd6ce2b0602d2b39fa71acc2
SHA256 38ab2eb0f45d30451b64bbd2aef20661e5b9a61d285b6d5edda94d5a5e0a0c36
SHA512 daa1d020483b81dec586ec7ab83330406c91839d074954ae9e4cd469900acf47d42523d8ddd3a036a0298791ba636d1c2a6b1332cd275c0be0dd3c89862bf470

memory/2248-26-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:33

Reported

2024-06-11 03:36

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe"

Signatures

Renames multiple (5282) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe

"C:\Users\Admin\AppData\Local\Temp\d1d5538fefe9a3b4825a5c0c64fdabac06268e35471ed7eed41fdb9fe528b6bd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3548-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

MD5 5c3173eb3d64226b3aa6f4f88a53b7e1
SHA1 bdf368517df099836443b9929c996ec3b5792e87
SHA256 5419223b421ac47ec2db4edeb02449d628a102b951aae578c9410f5ed3aa59a8
SHA512 26b27186345b41a9f262f5d526986553c3f1ae0ba7d56226c6ca176792d69dc0693f1ebcf57ba1d2566e20062bd8c054eb9567f9dc84690cb438e886b24040a2

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 c4a7dc03bafe5018bd965cdb2262944d
SHA1 40b69f5ad534879201f5ac0113bfef2845150a34
SHA256 8e42b399d31cd80b729009411ad096ff5d1808106f7b5374d17c29c087e26672
SHA512 11c6e60ea5e57bd2c289d148206c2e5d2a22a0d04d0ced914887728b641d8c3926ed655ea50d40d742fe6ba41243ca2b22fc589889a53b6cc6e813a9277c68a8

memory/3548-1222-0x0000000000400000-0x000000000040A000-memory.dmp