Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-yds4kazhlk
Target 280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0
SHA256 280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0

Threat Level: Likely malicious

The file 280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3487) files with added filename extension

Renames multiple (4873) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:40

Reported

2024-10-05 19:43

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe"

Signatures

Renames multiple (3487) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Journal\jnwmon.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\EditConvert.pps.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\HST.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\ReadUnpublish.mp3.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Accra.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre7\lib\security\java.security.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe

"C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 e884bed751ee7ba032e0dce6a950c1b4
SHA1 219f9bdd741d2b3db8f6ffa0f0e9abf7d0626dc6
SHA256 886453dd4594c51b49b60f9ad2986e3aeff1f1c759645b486d5f90be67f1528e
SHA512 2d416911aa07c3c21ce90ea26fea22b8a12deb248b2e19bbf721c024ac1903f23c8405c4b714666f85b9bc5f8c28221178246db3c8d602fe266f4d2d97040c4c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 2509375cb0fa00c661b9c18501c7783e
SHA1 84d2e4294df30e16f11fb8973ba99e466568d469
SHA256 7a8aa39ce839ce19ac8e19a0f8612e294d717987c03d3baee2f55af6735463d0
SHA512 3cff98be0ec26fac73e827882b24315c2adfebe51b416e6b16362c355e018c4a08009e9abd0f866cff0d4651503da794ce4bb1804b843fd3d3198dd745586d16

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:40

Reported

2024-10-05 19:43

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe"

Signatures

Renames multiple (4873) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\AddStop.wmf.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\GroupUnprotect.rtf.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\BlockStart.rar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe

"C:\Users\Admin\AppData\Local\Temp\280581849dde34cb738dc5056029d8da06cff397fb32632375afcd55753f3bb0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

MD5 182fd191480d9a541f8c872a086d5709
SHA1 ec02874aed4341830665cc527eac62ed76d3d17e
SHA256 bab2e1a63fd7561d1bbd27f0e6a26792d6fbf820cfd35643b7cf8c68fd6b81db
SHA512 708a7799a23ff3956c41dc2ae94a0792af278f78ff37dee86b3310d29132c036eb1e7604630611fc68d4c1320d1162b51833d09e63e421898ad373586e06f131

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 3c4baaca1720a585c1fbd38a9cf6b7dd
SHA1 f23b1a3ee54e4abf89675db4e6d245de6c842064
SHA256 4382d997b03ddc32b766dc01fad5e5282aa4b95e8034e0a11e65c17394d7bb08
SHA512 3c0ecf420170fed3bf0aac39f88508f3634b02447bf317efbf75205139e42d05011e2d98af8a9d81ffabee481e9e4a38fa97137845c800120c0e49071c74f268