Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-bp5v6ssdlp
Target b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a
SHA256 b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a

Threat Level: Likely malicious

The file b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (695) files with added filename extension

Renames multiple (5052) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:20

Reported

2024-10-20 01:22

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe"

Signatures

Renames multiple (695) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\ConvertLock.mpeg.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Internet Explorer\networkinspection.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe

"C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe"

Network

N/A

Files

memory/2792-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 5d091c02315ddc0cbfdb39522a530b0c
SHA1 aafeec4480e026cfb88b422b8a393889a4254565
SHA256 1a8dfb5b20cf4ce6ff2863a47e3dd693159ed932f4cc6dca4f3041075b142cd5
SHA512 3d1706d1d93642dd99df24bb36226e3c1847119ce12491bd332de823c8423713427b952c835f0c8386372d4c6196068d272c32cd209e06f5dd83425bf10dc482

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4740b4c2afac47b0b4f11bee16732868
SHA1 a1a076d6fad877b93d84dc271abf2c5441d44ef6
SHA256 6d2bbb9b8b41ca6763cbc22b76ea5a6540c931d173b8c5b3000baecdfda9c1b8
SHA512 0fcd6fc7075cb1a974b74db8a4e5e569e18688d637881f73322cbee60f2965ca57682f759c3110ea4924ca8e4376a1403bbdb2c446a48546a8ca389612ec6335

memory/2792-26-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:20

Reported

2024-10-20 01:22

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe"

Signatures

Renames multiple (5052) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe

"C:\Users\Admin\AppData\Local\Temp\b56c77817ae941e0fdcdc96400028ed816edeb32add854df0177e1e7d8d8694a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2984-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 636c9ea0abb4eb889adbe521ce9e6e2c
SHA1 493d84b6401bdebc41775fc06b8c9185906fb376
SHA256 d8879ccbdb5327e3e3d45ba8451435d33c6601de944077d5cd0517302dc26a46
SHA512 8a830141b38ee1042339d59c037f577a2c9ac4487761c55e8bb229849faeace8091068a613fb7f8ad835e091e7d3799df9c7d63ad6f6d4a4b1b7665ccdc29209

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 6dfb44d94eb090dd9c0799aea7077696
SHA1 9966919256eaea745ea8b2035df597000597b775
SHA256 65405a2d792d8cacd262e1f699ac31f349bcd17a0a8eb8542706e9ba158c1803
SHA512 fd93c49b40d3a5c1e45eb7618d264f5191cd4ab91f949bcd75a8214c70f2e227aaec11d05042c5de23f1398d1bba647384c5600f20f2cc4e0a52041004947370

memory/2984-662-0x0000000000400000-0x000000000040B000-memory.dmp