Malware Analysis Report

2025-03-15 08:16

Sample ID 241016-ewcprasclb
Target b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN
SHA256 b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09f
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09f

Threat Level: Likely malicious

The file b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (330) files with added filename extension

Renames multiple (4622) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:17

Reported

2024-10-16 04:19

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"

Signatures

Renames multiple (330) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\EditImport.mov.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe

"C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 7dba84de3f2500367eb22a170f93a512
SHA1 9a80d27f6199abc4cd777de437fead44f7206358
SHA256 1bcdf6abf9e8ce29a8d9264fe79457dde5c16376b61468e48472098cdc374a64
SHA512 d98d557cfbc9371f58b47984ee2b0f111a61c768d6cbe11bdfa703ddc3c08af812b1757b06067c5743744049f5f96eb2952fc0e6905a9e56f5bcf0dcafbddb16

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4e9745fc38180a0f11d137de95335cae
SHA1 0d63c78257ca805c94b36671ee7a9774f56aa55a
SHA256 8d6f8d53f7d63f4746ad5010fdbde38356ae1249c82fdbb6739dbcd22ffecf09
SHA512 bd99e138414758a1ab503eed218209e624364c5892ac98fcf87378c9c8fdddb0b469bbfda61f8abce051ef5e01479cdc78fea2c468ea197df08478aece42a1d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:17

Reported

2024-10-16 04:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"

Signatures

Renames multiple (4622) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\DisablePing.3g2.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe

"C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 cdcf1e469b8c77aff0e6c8cbae613a34
SHA1 e4ce14e296e82222b3ffde6e813d05f4ef0af989
SHA256 caa02c9349d8f20fe72be3591c25b82fb9f7a0b262de6503c7d9c80fb3f66f9f
SHA512 a63ad93d71736857c72811ae079415497a354d61d120dc79e874991f8b917167ed407e2d223126b14d3565ed5777a379d075272f5bd039ca975068fb42dfd0a5

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 dd40ad89b4a24d73bd8cd4e3b60bc6b6
SHA1 a61e1bd44ffd741c48c6d4ddfc7b1e9c032560ba
SHA256 5618ae852a9f2fc22fa7a02a028cc314ae963644d9e465bb3d49186ed9a42eea
SHA512 b5709c3922e57ea998abf991d304641d0c3773cdc9711ffdfd94d044c911e0dabbcebc48fbb836d3a6ffb5d2218684be10eeb97cc4befa9bb35e2a7472a582cb