Malware Analysis Report

2024-09-23 05:09

Sample ID 240613-blr5xaydqg
Target 065854c707faf010dd871dd4646027c0.bin
SHA256 d79ce1a98a73bac7e542c94cd051eb596901bc53c983ad8395d85b7b6acd7101
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d79ce1a98a73bac7e542c94cd051eb596901bc53c983ad8395d85b7b6acd7101

Threat Level: Likely malicious

The file 065854c707faf010dd871dd4646027c0.bin was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5193) files with added filename extension

Renames multiple (3702) files with added filename extension

Drops file in Program Files directory

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:14

Reported

2024-06-13 01:16

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe"

Signatures

Renames multiple (3702) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Detroit.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\New_York.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\PublishConvert.potm.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe

"C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 61ec2bbe2cafc6f367dac7e4fe623bec
SHA1 dae1d919958102cff52ff90bd62ab50397fcea16
SHA256 bf25787a9660d12f56663c51846e45599eda1a8d0ce2ee0a4af05a270e45b91b
SHA512 22ea6998fa24b82ad150b4dd49ece406aef9a7f2c7b4c449174ac100b30d0a0c837956400f1d6abde8920492688b0894a6b512c1a247d3047a2d434cda974071

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5c7cdd0243b724bb3f86a53d55c8e7b2
SHA1 e0f8f57cff8b37091a8124537b2fcfa6081efe41
SHA256 4869b75d5a529c461c7ca66881de00e10ee9a0b4d6e4c03ab9da9fa4f8c3ca50
SHA512 4ff43573844ae65853ec98bbeba301c85a341a41f61501fe6a72281611bb83215e1f84adce3b26fe8761cb90d1fd530d30aadbf859832d4b84c5f0e17a9cbc41

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:14

Reported

2024-06-13 01:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe"

Signatures

Renames multiple (5193) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe

"C:\Users\Admin\AppData\Local\Temp\065854c707faf010dd871dd4646027c0.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 f1801a60fdd2cebf45590278491cbceb
SHA1 d46377b90dcd45c031321d590a871a14480a5672
SHA256 10bd3dd2f1469d698ac838e27e41456363523ebe0c69759845e443e61e3fb30e
SHA512 133b33013a8ce131a5bc7b7077ce3ba9acb72910cfe1cedeb75fa855337f21304659cc59f19efc0f5fe285a00767c5825fde813da0ac73163c2a7e65d4838599

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f6476d988308fcefd30f6621745ab007
SHA1 9c2b3bdac9b324b2a8fc6ef6dff58f99e31a4e97
SHA256 3cd376efb947f76999576826ef59a3b8388aed451c02837ff799d0bfee138de9
SHA512 dce0b3904a38af72f398ca7b47d3f56e614baada8c87f0ce58a31b3d5c6f9724af70192a47e0342dd22cb9e6f0cccb9edf7574ab12bb804f33319fbee1f67a29