Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-yg3r6svhqh
Target 648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe
SHA256 648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb

Threat Level: Likely malicious

The file 648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5193) files with added filename extension

Renames multiple (3731) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:48

Platform

win7-20240729-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe"

Signatures

Renames multiple (3731) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Mozilla Firefox\application.ini.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Games\Chess\Chess.exe.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe

"C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 3ff1c54e8b1c195740ccb30a2eee4f2c
SHA1 b24307d77274a18e77b0b7e8bf6726ea431df254
SHA256 2d6cd341813c0cbc1a58ac9a83e6c25b0a375c125d366ffac7eeef47dac8d5db
SHA512 d03c94cfdc07e3a0e02ec0fb2781a335de2e65b1af924b93c01ca39b38abed4bdb608861bc73d48eea66c72610924ea1d7bf10c79961e5a5415dd42b5d2f5511

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 247d39183f5f8cc8cca712b615712dfa
SHA1 bee054bbfbc60910e754ae70cd0679a7e4b1e5b4
SHA256 f19411b95e9fa7075b95e92a07f12164809069f092761dc94fbc52373cc48b1a
SHA512 9a02b68cfdfb95f37040f48a8734d579b4d6f26ed88d3b59f49ec7ed2031f53e2b08405d25b2f3a9599749723401c4ea42072a25ad78723523830e5940bedd2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:48

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe"

Signatures

Renames multiple (5193) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe

"C:\Users\Admin\AppData\Local\Temp\648274553880069e1e1b55e57c2b8763ec4d4bb5428be778747af8ae1837c7cb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

MD5 0ce401656224e91fdfcb5810c9e2d083
SHA1 1c28e69a1d854826a4bacf511f39955724b7ecfd
SHA256 dd172313137dc68ef6fb675e2f0f09eba46eb2c15dacb3f16c86dc0144c7b230
SHA512 c20bf1fbb66c148439cc57bf1b31056b01c9e09bb128f3ecc9d456a7f1fbf26788cf442b9189b9f83f9ee1f500d9565cfe0b9cc3fc67adcfbcd1d25162bf65ff

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 223d7e89b4dbc0b6627a0e3a196ef078
SHA1 55a18b61100d5556c4fafcb7ca68d54a27a37096
SHA256 a9e03c74af713ff040d42fa08bb28a0a628464c344206216723e36c93e8ad1d8
SHA512 05e9fe884cef95d3afde3f9d25f1a9132e6c6adbf118d67faeb9dfecc7e045c020d768073dc26cf365a9bb334a1a72a833543f8b604e1473928ff66dc64c4aff