Malware Analysis Report

2025-08-05 21:56

Sample ID 241006-mk2hqstdna
Target 80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N
SHA256 80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969

Threat Level: Likely malicious

The file 80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5048) files with added filename extension

Renames multiple (3858) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 10:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 10:32

Reported

2024-10-06 10:34

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe"

Signatures

Renames multiple (3858) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\sbdrop.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Media Player\wmpenc.exe.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Defender\MpEvMsg.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe

"C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 87350586078bfa0010d42f2f12fc072d
SHA1 a1f8a7be842153879921bb0816aed2221816d1a8
SHA256 fdef7031c3cb649eb7a45b01f9338f68b07d1a50263260b553c7d47eeb08a44c
SHA512 3475b4354110dda2faba575a9fe2b83815ee9245aa26cfff7ae3b8bfb22aa89f57f946b51f6224a1ac5c0dd0b6e22f58e41e4dc7c57d91b9c76c5af9d93db088

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0e279d93894770ab560a673c8039b483
SHA1 7c0b835fd0b004ff32bd155207c48a2535324755
SHA256 0915e004df2c696eeed6b77e05df5e75bf8d5cbc5d3dbb9be7c136c00caf197c
SHA512 99532ab34f8cc1badd808b5be0763fa491a0212bf1a451f1ce1784d267e0224b6bcd068d2090fcef6f6ba96ac4332a61efec7a084c32354c4bef4a65d5f3c61b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 10:32

Reported

2024-10-06 10:34

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe"

Signatures

Renames multiple (5048) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe

"C:\Users\Admin\AppData\Local\Temp\80d13e90434f7e30118a96cf02c0bc28434cff9ddb4ff7f5a174193031a38969N.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

MD5 8b37232ae899c7f7b95ec2fed82fa850
SHA1 5a3f35fcc721238144a5e88b0e7a0541b98af0c4
SHA256 2b3d86f25d9db991f71f7aaa47087713362d1d4be063db4cb4ace5973e88ec97
SHA512 88cd9dddcae3d4de24e1ec697f7346a726dad68f2536861498f9f58a66021a8494798093cb281255c533da057ccddbb004cf781a2276b292c423d285b7c5e8a0

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 32d012c17931fe99c00d5678bff9f677
SHA1 eb67924b4c374f5cf399a572d64e459b3d127dad
SHA256 115a387db98ea8181a938c9369d325b8fc3191bcda8d7c4e5bf26d515211c537
SHA512 eca0ec066c896361d765210fa92503b92096472693468866752138ea3e704cf6a7af01ecab940d6cc85ae55cb959460a6d154391fac2bc34aa303e395096a29a