Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-dw2s7szeqg
Target ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN
SHA256 ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0a

Threat Level: Likely malicious

The file ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (305) files with added filename extension

Renames multiple (4320) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:22

Reported

2024-10-16 03:24

Platform

win7-20241010-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe"

Signatures

Renames multiple (305) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe

"C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe"

Network

N/A

Files

memory/2808-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 1a2d599845acc71283275c925b077b2f
SHA1 299b36e0adc03eee32644a199d9f200f573d7778
SHA256 e1a4f39f861282de857e474eb6eb263bdbbbae24b4913d17f63862f112ba0da3
SHA512 4ca27a08607b59f2509a3f68e4fddced86d4a57642202ddb12048f09111633f5ab7253f0e5f456ea6d4832e96485026475f9ec9c7edca885b8e39cb918f7fbe2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 39d9fc9b1af0e53e547dfbf059d5d76e
SHA1 fadc8338b2fd87b41417725e51399323078f5fd1
SHA256 9664402186290c2c659b6f6d99cfbab27367e126924f8a1ebc9ca456216e8de7
SHA512 191cb9bf40ff5faae7c315cbc67cc4dee24897df2ecfe1ed1ac24bdab3e66633db582f95a23208734658bda9c27af21580025495a088367da49ae1db5a6ba2ea

memory/2808-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:22

Reported

2024-10-16 03:24

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe"

Signatures

Renames multiple (4320) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe

"C:\Users\Admin\AppData\Local\Temp\ca8d30c167009f3c14f8a1657b63d993d19b47e4f78690096ea2f7683a0b5c0aN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1116-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 ea6faf177ab8e0cfa8b6ec1eb76309a7
SHA1 6bb1eb3deaee48986c3b4d9039ac05df0d9058d2
SHA256 8b3f4963761c059129b4c7776c8871340a55ae1cc718c26908fe71f9c66e4541
SHA512 107ca6cbd4d18cd62a731ea14956d9c391c78b6f8c22c40cb470d3e1f69d7dd3db97fe21d1cb58d22743864afbed6c18dc9a9425badd3102ec7fbe23a8653338

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a00040e69611f178ea839d79a8de956c
SHA1 b34c0d18bb4d2ec73ff2a3851fae056f199e76b0
SHA256 1b042de0ffb6e09197327da9dae48708b210b359f9d62de1ed65eaa7732118dd
SHA512 e2c3ec48ccbb89c846e54e4b30c1111cd946493edc4af431950e5944a0c9d90793f3803c1683f74c0af4580bc61b85b8071bdd4fe6903acdfe92bdb3a5ad3eea

memory/1116-658-0x0000000000400000-0x000000000040B000-memory.dmp