Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-ztq5ksydrb
Target bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN
SHA256 bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938f
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938f

Threat Level: Likely malicious

The file bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4138) files with added filename extension

Renames multiple (236) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 21:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 21:00

Reported

2024-10-19 21:03

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe"

Signatures

Renames multiple (236) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\offset.ax.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsource.ax.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe

"C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe"

Network

N/A

Files

memory/3012-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 8e7293f22aa36e27363f822dd71862d6
SHA1 ac5e22addb8064f1859c1e4ccccd95aa58f7ac73
SHA256 d4dfeb4b28b26bf9f977366d2a822cfe4ed08bd4a79f81e0b420e99d98f9f5ec
SHA512 99ae2022e2fc8a350bed60cc2b436324f0b0995ecefe1678fa463a43e7c7a2aea7ea4ebb68b90672aad57100280bc0ecd25ad8fa5f6127bcc50924dd841d2578

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 91387457dc0141deb49d7c0e63935561
SHA1 e94490e68b4b7d4a5bfd7cc0100e1bbb1300371c
SHA256 87c783f739a2e66f7390f6e73dd27017c4b5d258985953a73c796a06a361b1fd
SHA512 6b827f028c0ceaf73f678f1e2226eeaebe6ef284e324edea9ee9456e1d98abc8701342a4845759b58ab541ca3c731d00e4b772df4f9a54e237e448f7cab44f61

memory/3012-20-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 21:00

Reported

2024-10-19 21:02

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe"

Signatures

Renames multiple (4138) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe

"C:\Users\Admin\AppData\Local\Temp\bdcff6eb9990edf2e001bc37f4f3f493b207305a0f17818270834fed507b938fN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4852-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 c21f36a7c86199cc393649423bb89144
SHA1 9c8939cff95e68de2073cfeea132b354e58113b3
SHA256 fa09a8a744e44a38aeb4a9988484e12142e0c3c36f308adc88bdc391e15bf8a5
SHA512 9bfc982fe61412aee7bdca9dba9e680e64bf448ecda82c8bfcee9a0d7133aeadef2a053c10778212d7ddcecbceb056bb7010061ebffa53fd5295736f4c2b775f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 481872456d6ff77e66461f0252850a05
SHA1 0e3a9b168231fb009ae8150ab704cd1b48805300
SHA256 ac3845b9cdd43d9a4e00bc6759b5e6dfa46e375295581e7f409296c3f89c824a
SHA512 ed37fc682e0193a84f219e1046b161a0f374908254ec0ced25e478f0ba693b64966cb373d58e321ce2b46e97def83bd18b05a5f0ab54fc2f4c386958ecde418b

memory/4852-654-0x0000000000400000-0x000000000040B000-memory.dmp